Lucene search

GitHub Advisory DatabaseGHSA-F6MH-79VH-2HV7

HistoryMar 22, 2024 - 3:31 p.m.

Cross-site Scripting in Moodle Chat

2024-03-2215:31:07

CWE-79

GitHub Advisory Database

github.com

cross-site scripting

moodle 4.3.3

html injection

performance degradation

vendor documentation

vulnerable software

chat activity

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor’s Using_Chat page says “If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text.” This page also says “Chat is due to be removed from standard Moodle.”

Affected configurations

Vulners

Node

moodlemoodleRange≤4.3.3

CPENameOperatorVersion
moodle/moodlele4.3.3

CPE	Name	Operator	Version
	moodle/moodle	le	4.3.3

References

docs.moodle.org/403/en/Using_Chat

gist.githubusercontent.com/minendie/4f23174687bc4d8eb7f727d9959b5399/raw/9ce573cebcce5521d9d6f826ab68f3780036b874/CVE-2024-28593.txt

github.com/advisories/GHSA-f6mh-79vh-2hv7

medium.com/%40lamscun/how-do-i-change-htmli-from-low-to-critical-your-email-box-is-safe-e7171efd88fe

nvd.nist.gov/vuln/detail/CVE-2024-28593