Moodle 3.9.x < 3.9.15 Multiple Vulnerabilities

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.15, 3.11.x prior to 3.11.8 or 4.0.x prior to 4.0.2. It is, therefore, affected by multiple vulnerabilities:

• A code injection through an omitted execution parameter elading to Remote Code Execution (RCE) for sites running GhostScript versions older than 9.50. (CVE-2022-35649)

• An arbitrary file read due to an insufficient path checks in a lesson question import available to teachers, managers and admins by default. (CVE-2022-35650)

• A stored Cross-Site Scripting (XSS) and blind Server-Side Request Forgery (SSRF) vulnerabilities due to an insufficient sanitizing of SCORM track details. (CVE-2022-35651)

• An open redirect vulnerability due to the lack of sanitization in the mobile auto-login URL. (CVE-2022-35652)

• A Cross-Site Scripting (XSS) vulnerability in the LTI module only affecting unauthentication users. (CVE-2022-35653)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.