Lucene search

GoogleOSV:GHSA-JQGR-GH62-JF53

HistoryOct 01, 2022 - 12:00 a.m.

Moodle Stored Cross-site Scripting and page denial of service

2022-10-0100:00:20

Google

osv.dev

moodle

stored cross-site scripting

cross-site scripting

page denial of service

mustache template

user input

software

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

38.5%

JSON

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an Cross-site Scripting risk or a page failing to load.

References

bugzilla.redhat.com/show_bug.cgi?id=2128146

github.com/moodle/moodle

moodle.org/mod/forum/discuss.php?d=438392

nvd.nist.gov/vuln/detail/CVE-2022-40313