CVE-2022-35653

nvd nist nuclei

Published: Jul 25, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.

Affected (12)

Products: Moodle: Moodle · Fedoraproject: Fedora · Redhat: Enterprise Linux

1 product

1 product

1 product

Enterprise Linux

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Moodle Moodle	From 3.11.0 to 3.11.8
Moodle Moodle	From 3.9.0 to 3.9.15
Moodle Moodle	Version 4.0.0
Moodle Moodle	Version 4.0.0 beta
Moodle Moodle	Version 4.0.0 rc1
Moodle Moodle	Version 4.0.0 rc2
Moodle Moodle	Version 4.0.0 rc3
Moodle Moodle	Version 4.0.0 rc4
Moodle Moodle	Version 4.0.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 8.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299

Source: patrick@puiterwijk.org

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2106277

Source: patrick@puiterwijk.org

Issue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/

Source: patrick@puiterwijk.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/

Source: patrick@puiterwijk.org

https://moodle.org/mod/forum/discuss.php?d=436460

Source: patrick@puiterwijk.org

PatchVendor Advisory

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2106277

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/

Source: af854a3a-2127-422b-91ae-364da2661108

https://moodle.org/mod/forum/discuss.php?d=436460

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.