Moodle: cache poisoning via injection into storage
Description
Moodle requires additional validation for local storage to mitigate a cache poisoning risk, as per CVE-2024-43428.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle requires additional validation for local storage to mitigate a cache poisoning risk, as per CVE-2024-43428.
CVE-2024-43428 describes a cache poisoning risk in Moodle that arises from insufficient validation of local storage data [1]. The vulnerability allows an attacker to potentially corrupt cached content by injecting malicious data into the browser's local storage, which Moodle uses for performance optimization.
Exploitation requires the ability to write arbitrary data to the local storage of a user's browser, which could be achieved through cross-site scripting (XSS) or other client-side attacks. No authentication is needed if the attacker can execute JavaScript in the context of the Moodle site, but the attack is limited to the client side.
Successful cache poisoning could lead to the display of manipulated content to users, potentially enabling phishing or other social engineering attacks. The integrity of cached data is compromised, affecting the trustworthiness of the Moodle interface.
Moodle has addressed this issue by adding additional validation checks for local storage data. Users are advised to update to the latest version of Moodle that includes this fix. The vulnerability is documented in the NVD entry [1] and linked to a Red Hat bug tracker.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.12 | 4.1.12 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.2.9 | 4.2.9 |
moodle/moodlePackagist | >= 4.3.0-beta, < 4.3.6 | 4.3.6 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.2 | 4.4.2 |
Affected products
3- osv-coords2 versions
< 4.1.12+ 1 more
- (no CPE)range: < 4.1.12
- (no CPE)range: < 4.1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2r9m-wg35-rfvcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43428ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.