BIT-moodle-2022-35651

2024-03-0611:03:37

Google

osv.dev

moodle

xss vulnerability

ssrf vulnerability

insufficient sanitization

remote attacker

arbitrary code

sensitive information

phishing attacks

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.1%

JSON

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

CPENameOperatorVersion
moodlege4.0.0-rc1
moodlege4.0.0-rc3
moodlege3.11.0
moodlege4.0.0-rc4
moodlege4.0.0
moodlege4.0.1
moodlele4.0.0-beta
moodlele4.0.0
moodlege4.0.0-rc2
moodlele4.0.0-rc4

Name	Operator	Version
moodle	ge	4.0.0-rc1
moodle	ge	4.0.0-rc3
moodle	ge	3.11.0
moodle	ge	4.0.0-rc4
moodle	ge	4.0.0
moodle	ge	4.0.1
moodle	le	4.0.0-beta
moodle	le	4.0.0
moodle	ge	4.0.0-rc2
moodle	le	4.0.0-rc4