GHSA-wwv7-h477-wrv7

Source

https://github.com/advisories/GHSA-wwv7-h477-wrv7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-wwv7-h477-wrv7/GHSA-wwv7-h477-wrv7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wwv7-h477-wrv7

Aliases

BIT-moodle-2022-35651
CVE-2022-35651

Published

2022-07-26T00:00:29Z

Modified

2024-04-23T23:58:27.980079Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Moodle Stored XSS and blind SSRF possible via SCORM track details

Details

A stored Cross-site Scripting (XSS) and blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Database specific

{
    "nvd_published_at": "2022-07-25T16:15:00Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T23:37:10Z"
}

References

Affected packages

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.9

Fixed

3.9.15

Affected versions

v3.*

v3.9.0-beta

v3.9.0-rc1

v3.9.0-rc2

v3.9.0-rc3

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5

v3.9.6

v3.9.7

v3.9.8

v3.9.9

v3.9.10

v3.9.11

v3.9.12

v3.9.13

v3.9.14

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.11

Fixed

3.11.8

Affected versions

v3.*

v3.11.0-beta

v3.11.0-rc1

v3.11.0-rc2

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0

Fixed

4.0.2

Affected versions

v4.*

v4.0.0-beta

v4.0.0-rc1

v4.0.0-rc2

v4.0.0-rc3

v4.0.0-rc4

v4.0.0

v4.0.1