Scan free
LOWCVE-2024-3932CVSS 3.1

CVE-2024-3932: CSRF in Totara LMS

Platform

php

Component

totara-lms

Fixed in

13.0.1

13.1.1

13.2.1

13.3.1

13.4.1

13.5.1

13.6.1

13.7.1

13.8.1

13.9.1

13.10.1

13.11.1

13.12.1

13.13.1

13.14.1

13.15.1

13.16.1

13.17.1

13.18.1

13.19.1

13.20.1

13.21.1

13.22.1

13.23.1

13.24.1

13.25.1

13.26.1

13.27.1

13.28.1

13.29.1

13.30.1

13.31.1

13.32.1

13.33.1

13.34.1

13.35.1

13.36.1

13.37.1

13.38.1

13.39.1

13.40.1

13.41.1

13.42.1

13.43.1

13.44.1

13.45.1

14.0.1

14.1.1

14.2.1

14.3.1

14.4.1

14.5.1

14.6.1

14.7.1

14.8.1

14.9.1

14.10.1

14.11.1

14.12.1

14.13.1

14.14.1

14.15.1

14.16.1

14.17.1

14.18.1

14.19.1

14.20.1

14.21.1

14.22.1

14.23.1

14.24.1

14.25.1

14.26.1

14.27.1

14.28.1

14.29.1

14.30.1

14.31.1

14.32.1

14.33.1

14.34.1

14.35.1

14.36.1

14.37.1

15.0.1

15.1.1

15.2.1

15.3.1

15.4.1

15.5.1

15.6.1

15.7.1

15.8.1

15.9.1

15.10.1

15.11.1

15.12.1

15.13.1

15.14.1

15.15.1

15.16.1

15.17.1

15.18.1

15.19.1

15.20.1

15.21.1

15.22.1

15.23.1

15.24.1

15.25.1

15.26.1

15.27.1

15.28.1

15.29.1

15.30.1

15.31.1

15.32.1

16.0.1

16.1.1

16.2.1

16.3.1

16.4.1

16.5.1

16.6.1

16.7.1

16.8.1

16.9.1

16.10.1

16.11.1

16.12.1

16.13.1

16.14.1

16.15.1

16.16.1

16.17.1

16.18.1

16.19.1

16.20.1

16.21.1

16.22.1

16.23.1

16.24.1

16.25.1

16.26.1

17.0.1

17.1.1

17.2.1

17.3.1

17.4.1

17.5.1

17.6.1

17.7.1

17.8.1

17.9.1

17.10.1

17.11.1

17.12.1

17.13.1

17.14.1

17.15.1

17.16.1

17.17.1

17.18.1

17.19.1

17.20.1

18.0.1

18.1.1

18.2.1

18.3.1

18.4.1

18.5.1

18.6.1

18.7.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A problematic cross-site request forgery (CSRF) vulnerability has been identified in Totara LMS versions up to 18.7. This flaw allows attackers to potentially trigger unintended actions on behalf of authenticated users. The vulnerability affects an unknown part of the User Selector component. Upgrading to version 18.8 resolves this issue.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-3932 could allow an attacker to perform actions as a logged-in user within the Totara LMS environment. This could include modifying user profiles, creating new users, or performing other administrative tasks, depending on the user's permissions. The high complexity and difficulty of exploitation limit the immediate risk, but the public disclosure means attackers are actively seeking ways to bypass these barriers. The potential blast radius is limited to the scope of the user's permissions within the LMS.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The CVSS score is LOW, indicating a relatively low probability of exploitation due to the high complexity. No active campaigns or KEV listing are currently associated with this CVE, but the public availability of information could change that. The vulnerability was published on 2024-04-18.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (15% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C3.1LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componenttotara-lms
VendorTotara
Affected rangeFixed in
13.0 – 13.013.0.1
13.1 – 13.113.1.1
13.2 – 13.213.2.1
13.3 – 13.313.3.1
13.4 – 13.413.4.1
13.5 – 13.513.5.1
13.6 – 13.613.6.1
13.7 – 13.713.7.1
13.8 – 13.813.8.1
13.9 – 13.913.9.1
13.10 – 13.1013.10.1
13.11 – 13.1113.11.1
13.12 – 13.1213.12.1
13.13 – 13.1313.13.1
13.14 – 13.1413.14.1
13.15 – 13.1513.15.1
13.16 – 13.1613.16.1
13.17 – 13.1713.17.1
13.18 – 13.1813.18.1
13.19 – 13.1913.19.1
13.20 – 13.2013.20.1
13.21 – 13.2113.21.1
13.22 – 13.2213.22.1
13.23 – 13.2313.23.1
13.24 – 13.2413.24.1
13.25 – 13.2513.25.1
13.26 – 13.2613.26.1
13.27 – 13.2713.27.1
13.28 – 13.2813.28.1
13.29 – 13.2913.29.1
13.30 – 13.3013.30.1
13.31 – 13.3113.31.1
13.32 – 13.3213.32.1
13.33 – 13.3313.33.1
13.34 – 13.3413.34.1
13.35 – 13.3513.35.1
13.36 – 13.3613.36.1
13.37 – 13.3713.37.1
13.38 – 13.3813.38.1
13.39 – 13.3913.39.1
13.40 – 13.4013.40.1
13.41 – 13.4113.41.1
13.42 – 13.4213.42.1
13.43 – 13.4313.43.1
13.44 – 13.4413.44.1
13.45 – 13.4513.45.1
14.0 – 14.014.0.1
14.1 – 14.114.1.1
14.2 – 14.214.2.1
14.3 – 14.314.3.1
14.4 – 14.414.4.1
14.5 – 14.514.5.1
14.6 – 14.614.6.1
14.7 – 14.714.7.1
14.8 – 14.814.8.1
14.9 – 14.914.9.1
14.10 – 14.1014.10.1
14.11 – 14.1114.11.1
14.12 – 14.1214.12.1
14.13 – 14.1314.13.1
14.14 – 14.1414.14.1
14.15 – 14.1514.15.1
14.16 – 14.1614.16.1
14.17 – 14.1714.17.1
14.18 – 14.1814.18.1
14.19 – 14.1914.19.1
14.20 – 14.2014.20.1
14.21 – 14.2114.21.1
14.22 – 14.2214.22.1
14.23 – 14.2314.23.1
14.24 – 14.2414.24.1
14.25 – 14.2514.25.1
14.26 – 14.2614.26.1
14.27 – 14.2714.27.1
14.28 – 14.2814.28.1
14.29 – 14.2914.29.1
14.30 – 14.3014.30.1
14.31 – 14.3114.31.1
14.32 – 14.3214.32.1
14.33 – 14.3314.33.1
14.34 – 14.3414.34.1
14.35 – 14.3514.35.1
14.36 – 14.3614.36.1
14.37 – 14.3714.37.1
15.0 – 15.015.0.1
15.1 – 15.115.1.1
15.2 – 15.215.2.1
15.3 – 15.315.3.1
15.4 – 15.415.4.1
15.5 – 15.515.5.1
15.6 – 15.615.6.1
15.7 – 15.715.7.1
15.8 – 15.815.8.1
15.9 – 15.915.9.1
15.10 – 15.1015.10.1
15.11 – 15.1115.11.1
15.12 – 15.1215.12.1
15.13 – 15.1315.13.1
15.14 – 15.1415.14.1
15.15 – 15.1515.15.1
15.16 – 15.1615.16.1
15.17 – 15.1715.17.1
15.18 – 15.1815.18.1
15.19 – 15.1915.19.1
15.20 – 15.2015.20.1
15.21 – 15.2115.21.1
15.22 – 15.2215.22.1
15.23 – 15.2315.23.1
15.24 – 15.2415.24.1
15.25 – 15.2515.25.1
15.26 – 15.2615.26.1
15.27 – 15.2715.27.1
15.28 – 15.2815.28.1
15.29 – 15.2915.29.1
15.30 – 15.3015.30.1
15.31 – 15.3115.31.1
15.32 – 15.3215.32.1
16.0 – 16.016.0.1
16.1 – 16.116.1.1
16.2 – 16.216.2.1
16.3 – 16.316.3.1
16.4 – 16.416.4.1
16.5 – 16.516.5.1
16.6 – 16.616.6.1
16.7 – 16.716.7.1
16.8 – 16.816.8.1
16.9 – 16.916.9.1
16.10 – 16.1016.10.1
16.11 – 16.1116.11.1
16.12 – 16.1216.12.1
16.13 – 16.1316.13.1
16.14 – 16.1416.14.1
16.15 – 16.1516.15.1
16.16 – 16.1616.16.1
16.17 – 16.1716.17.1
16.18 – 16.1816.18.1
16.19 – 16.1916.19.1
16.20 – 16.2016.20.1
16.21 – 16.2116.21.1
16.22 – 16.2216.22.1
16.23 – 16.2316.23.1
16.24 – 16.2416.24.1
16.25 – 16.2516.25.1
16.26 – 16.2616.26.1
17.0 – 17.017.0.1
17.1 – 17.117.1.1
17.2 – 17.217.2.1
17.3 – 17.317.3.1
17.4 – 17.417.4.1
17.5 – 17.517.5.1
17.6 – 17.617.6.1
17.7 – 17.717.7.1
17.8 – 17.817.8.1
17.9 – 17.917.9.1
17.10 – 17.1017.10.1
17.11 – 17.1117.11.1
17.12 – 17.1217.12.1
17.13 – 17.1317.13.1
17.14 – 17.1417.14.1
17.15 – 17.1517.15.1
17.16 – 17.1617.16.1
17.17 – 17.1717.17.1
17.18 – 17.1817.18.1
17.19 – 17.1917.19.1
17.20 – 17.2017.20.1
18.0 – 18.018.0.1
18.1 – 18.118.1.1
18.2 – 18.218.2.1
18.3 – 18.318.3.1
18.4 – 18.418.4.1
18.5 – 18.518.5.1
18.6 – 18.618.6.1
18.7 – 18.718.7.1

Weakness Classification (CWE)

CWE-352CWE-862

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-3932 is to upgrade Totara LMS to version 18.8 or later. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding on all user-facing forms to reduce the attack surface. Implementing CSRF tokens on sensitive actions can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a sensitive action and verifying that it fails.

How to fix

Upgrade Totara LMS to version 13.46, 14.38, 15.33, 16.27, 17.21 or 18.8, or a later version. This will correct the Cross-Site Request Forgery (CSRF) vulnerability in the user selector. It is recommended to create a backup before upgrading.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-3932 — CSRF in Totara LMS?

CVE-2024-3932 is a cross-site request forgery vulnerability affecting Totara LMS versions up to 18.7, allowing attackers to potentially perform actions as a logged-in user.

Am I affected by CVE-2024-3932 in Totara LMS?

You are affected if you are running Totara LMS versions 18.7 or earlier. Upgrade to version 18.8 to mitigate the risk.

How do I fix CVE-2024-3932 in Totara LMS?

Upgrade Totara LMS to version 18.8 or later. Consider implementing CSRF tokens and input validation as interim measures.

Is CVE-2024-3932 being actively exploited?

While no active campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the potential for exploitation.

Where can I find the official Totara LMS advisory for CVE-2024-3932?

Refer to the Totara LMS security advisory page for the latest information and updates: [https://totaralms.com/security/](https://totaralms.com/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs