Lucene search

GitHub Advisory DatabaseGHSA-GRMJ-GPWM-98WW

HistoryFeb 17, 2023 - 9:30 p.m.

Moodle Cross-site Scripting vulnerability

2023-02-1721:30:41

CWE-79

GitHub Advisory Database

github.com

moodle

cross-site scripting

insufficient sanitization

blog search

remote attacker

html

script code

xss attacks

vulnerability

arbitrary execution

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

50.2%

JSON

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

Affected configurations

Vulners

Node

moodlemoodleRange4.1.0-beta–4.1.1

moodlemoodleRange4.0.0-beta–4.0.6

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861

bugzilla.redhat.com/show_bug.cgi?id=2162547

github.com/advisories/GHSA-grmj-gpwm-98ww

moodle.org/mod/forum/discuss.php?d=443273#p1782022

nvd.nist.gov/vuln/detail/CVE-2023-23922

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

50.2%

JSON

Related for GHSA-GRMJ-GPWM-98WW