CVE-2023-35133 HIGH

CVE-2023-35133: Moodle: ssrf risk due to insufficient check on the curl blocked hosts

Weakness CWE-918 · SSRF

Published June 22, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Key dates

02Disclosure timeline

June 22, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-35133 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2026-0807 Frontis Blocks <= 1.1.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter CVE-2026-6333 SSRF via Host Header Spoofing in Custom Slash Commands CVE-2025-14008 dayrui XunRuiCMS Project Domain Change Test admin79f2ec220c7e.php server-side request forgery CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF