Lucene search

[email protected]NVD:CVE-2022-46147

HistoryNov 28, 2022 - 9:15 p.m.

CVE-2022-46147

2022-11-2821:15:10

CWE-79

[email protected]

web.nvd.nist.gov

xblock

drag and drop

cross-site scripting

vulnerability

patch

target image

learner

platform impact

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

42.4%

JSON

Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.

Affected configurations

Nvd

Node

openedxxblock-drag-and-drop-v2Range<3.0.0

VendorProductVersionCPE
openedxxblock-drag-and-drop-v2*cpe:2.3:a:openedx:xblock-drag-and-drop-v2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openedx	xblock-drag-and-drop-v2	*	cpe:2.3:a:openedx:xblock-drag-and-drop-v2::::::::

References

github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a

github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864

github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0

github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

42.4%

JSON

Related for NVD:CVE-2022-46147

cve1 veracode1 osv2 cvelist1 prion1 github1