CVE-2022-35651

Published: Jul 25, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Affected (12)

Products: Moodle: Moodle · Redhat: Enterprise Linux · Fedoraproject: Fedora

1 product

1 product

Enterprise Linux

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Moodle Moodle	From 3.11.0 to 3.11.8
Moodle Moodle	From 3.9.0 to 3.9.15
Moodle Moodle	Version 4.0.0
Moodle Moodle	Version 4.0.0 beta
Moodle Moodle	Version 4.0.0 rc1
Moodle Moodle	Version 4.0.0 rc2
Moodle Moodle	Version 4.0.0 rc3
Moodle Moodle	Version 4.0.0 rc4
Moodle Moodle	Version 4.0.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 8.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921

Source: patrick@puiterwijk.org

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2106275

Source: patrick@puiterwijk.org

Issue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/

Source: patrick@puiterwijk.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/

Source: patrick@puiterwijk.org

https://moodle.org/mod/forum/discuss.php?d=436458

Source: patrick@puiterwijk.org

Vendor Advisory

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2106275

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/

Source: af854a3a-2127-422b-91ae-364da2661108

https://moodle.org/mod/forum/discuss.php?d=436458

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.