How Moodle Stays Ahead Of The Curve In Data Protection


How Moodle Stays Ahead Of The Curve In Data Protection
“Protect” by Garry Knight is licensed under CC BY 2.0

Cybersecurity is the fastest rising concern across IT departments everywhere, and it has a special place for administrators of schools, colleges, and other learning organizations. But if your organization’s learning platform runs on Moodle, you might have less to worry about.

Recently, Moodle HQ Development Process Manager Marina Glancy announced the identification of two vulnerabilities in the Moodle code, which were readily patched:
  • MSA-18-0001: Server Side Request Forgery in the filepicker. A loophole in AJAX, a series of techniques that allow updating parts of a web page with new information without having to reload everything, allows any logged in user to get any valid URL of the site. Cloud-based Moodle sites were particularly at risk. Identified and patched on January 22.
  • MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames. A safeguard put in place in Moodle 3.2, namely the “cURL blocked hosts list” that prevented access from direct URL addresses by certain user roles, seems able to be superseded by DNS manipulation. Identified and patched on January 22.

Make sure your site is updated to the latest build of your Moodle version to ensure it is properly patched. If possible, upgrade to Moodle 3.4.1.

Stay on top of security patches and updates on the Moodle “Security announcements” forum and at

Leave a Reply

Your email address will not be published. Required fields are marked *