moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
Description
The referrer URL used by MFA required additional sanitizing, rather than being used directly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.3.0, < 4.3.4 | 4.3.4 |
Affected products
3- osv-coords2 versions
>= 4.3.0, < 4.3.4+ 1 more
- (no CPE)range: >= 4.3.0, < 4.3.4
- (no CPE)range: >= 4.3.0, < 4.3.4
Patches
Vulnerability mechanics
Root cause
"Missing input validation on the HTTP Referer header allows an open redirect."
Attack vector
An attacker can craft a malicious `Referer` header and send it to the MFA configuration page (`/admin/tool/mfa/index.php`). The old code read `$_SERVER['HTTP_REFERER']` directly without validation, so a crafted referrer URL could be used to redirect an authenticated administrator to an external site after the MFA action completes [CWE-20]. The attack requires the victim to have the `moodle/site:config` capability and to be tricked into visiting the page with the malicious header.
What the fix does
The patch replaces the direct use of `$_SERVER['HTTP_REFERER']` with a call to `get_local_referer(false)`. This function validates that the referrer URL is a local Moodle URL, preventing an attacker from injecting an arbitrary external URL. By sanitizing the referrer through the framework's own URL validation, the fix closes the open-redirect vector.
Preconditions
- inputAttacker must craft an HTTP request with a malicious Referer header pointing to an external site.
- authVictim must be authenticated with the moodle/site:config capability.
- networkVictim must be tricked into visiting /admin/tool/mfa/index.php with the crafted header.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-r2wx-46gp-rp3hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-33999ghsaADVISORY
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.