Lucene search

GoogleOSV:BIT-MOODLE-2023-23922

HistoryMar 06, 2024 - 11:01 a.m.

BIT-moodle-2023-23922

2024-03-0611:01:14

Google

osv.dev

moodle

blog search

vulnerability

remote attacker

xss

html

script code

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

CPENameOperatorVersion
moodlelt4.0.6
moodlege4.1.0
moodlele4.1.0
moodlege4.0.0

Name	Operator	Version
moodle	lt	4.0.6
moodle	ge	4.1.0
moodle	le	4.1.0
moodle	ge	4.0.0

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861

bugzilla.redhat.com/show_bug.cgi?id=2162547

moodle.org/mod/forum/discuss.php?d=443273#p1782022

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON

Related for OSV:BIT-MOODLE-2023-23922