CVE-2022-45149 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability affecting Moodle, a widely used open-source learning management system (LMS). The vulnerability arises from insufficient validation of the HTTP request origin in the course redirect URL mechanism. Specifically, when a user restores a course, their CSRF token is unnecessarily included in the URL during redirection. This improper handling allows a remote attacker to craft a malicious webpage that, when visited by an authenticated Moodle user, can trigger unauthorized actions on the victim's behalf without their consent. The attack exploits the trust a Moodle instance places in the user's browser and session, bypassing protections that normally prevent CSRF by embedding the token in the URL rather than in a secure request header or form parameter. The vulnerability affects Moodle versions prior to 4.0.5, 3.11.11, and 3.9.18, where patches have been applied to correct the token handling and validate request origins properly. The CVSS 3.1 base score is 5.4, reflecting a network attack vector with low attack complexity, no privileges required, but requiring user interaction (visiting a malicious page). The impact is limited to confidentiality and integrity, with no availability impact. No known exploits are currently reported in the wild, but the vulnerability remains a risk due to Moodle's extensive deployment in educational institutions worldwide.

For European organizations, especially educational institutions, universities, and training providers that rely heavily on Moodle, this vulnerability poses a risk of unauthorized actions being performed on behalf of legitimate users. Potential impacts include unauthorized changes to course content, enrollment manipulation, or disclosure of limited user information tied to the CSRF token exposure. While the vulnerability does not directly lead to system compromise or denial of service, it undermines user trust and data integrity within the LMS environment. Given Moodle's widespread adoption in Europe, exploitation could disrupt academic operations, lead to data privacy concerns under GDPR, and damage institutional reputations. The requirement for user interaction (visiting a malicious page) means phishing or social engineering campaigns could be used to trigger attacks, increasing the risk in environments with less user security awareness. The absence of known exploits suggests limited active threat, but the medium severity and ease of exploitation warrant prompt remediation.

1. Immediate patching: Upgrade all Moodle instances to versions 4.0.5, 3.11.11, or 3.9.18 or later where the vulnerability is fixed. 2. Implement strict Content Security Policy (CSP) headers to reduce the risk of malicious external content triggering CSRF attacks. 3. Educate users about phishing and social engineering risks, emphasizing caution when clicking on unknown links, especially those purporting to be related to Moodle courses. 4. Review and harden web server and application configurations to enforce same-site cookie attributes (SameSite=Lax or Strict) to mitigate CSRF risks. 5. Monitor Moodle logs for unusual activity patterns indicative of CSRF exploitation attempts, such as unexpected course modifications or enrollment changes. 6. Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block suspicious CSRF-related traffic targeting Moodle endpoints. 7. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities, including CSRF, to proactively identify and remediate weaknesses.