Lucene search

[email protected]CVE-2022-35651

HistoryJul 25, 2022 - 4:15 p.m.

CVE-2022-35651

2022-07-2516:15:08

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-35651

stored xss

blind ssrf

moodle

scorm

vulnerability

remote code execution

web security

information security

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.2%

JSON

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Affected configurations

NVD

Node

moodlemoodleRange3.9.0–3.9.15

moodlemoodleRange3.11.0–3.11.8

moodlemoodleMatch4.0.0-

moodlemoodleMatch4.0.0beta

moodlemoodleMatch4.0.0rc1

moodlemoodleMatch4.0.0rc2

moodlemoodleMatch4.0.0rc3

moodlemoodleMatch4.0.0rc4

moodlemoodleMatch4.0.1

Node

redhatenterprise_linuxMatch8.0-

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

CPENameOperatorVersion
moodle:moodlemoodlelt3.9.15
moodle:moodlemoodlelt3.11.8
moodle:moodlemoodleeq4.0.0
moodle:moodlemoodleeq4.0.1

CPE	Name	Operator	Version
moodle:moodle	moodle	lt	3.9.15
moodle:moodle	moodle	lt	3.11.8
moodle:moodle	moodle	eq	4.0.0
moodle:moodle	moodle	eq	4.0.1

CNA Affected

[
  {
    "product": "Moodle",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15"
      }
    ]
  }
]