Lucene search

Ubuntu.comUB:CVE-2023-46858

HistoryOct 29, 2023 - 12:00 a.m.

CVE-2023-46858

2023-10-2900:00:00

ubuntu.com

moodle

xss

vulnerability

grade report

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

DISPUTED Moodle 4.3 allows
/grade/report/grader/index.php?searchvalue= reflected XSS when logged in as
a teacher. NOTE: the Moodle Security FAQ link states “Some forms of rich
content [are] used by teachers to enhance their courses … admins and
teachers can post XSS-capable content, but students can not.”

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchmoodle< anyUNKNOWN
ubuntu16.04noarchmoodle< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	moodle	< any	UNKNOWN
ubuntu	16.04	noarch	moodle	< any	UNKNOWN

References

docs.moodle.org/403/en/Security_FAQ#I_have_discovered_Cross_Site_Scripting_.28XSS.29_is_possible_with_Moodle

gist.github.com/Abid-Ahmad/12d2b4878eb731e8871b96b7d55125cd

launchpad.net/bugs/cve/CVE-2023-46858

nvd.nist.gov/vuln/detail/CVE-2023-46858

security-tracker.debian.org/tracker/CVE-2023-46858

www.cve.org/CVERecord?id=CVE-2023-46858