CVE-2023-35131 Moodle: xss risk on groups page

2023-06-2200:00:00

CWE-79

fedora

github.com

moodle

xss risk

groups page

version 4.2

version 4.1

version 4.0

version 3.11

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

37.9%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.

CNA Affected

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "4.2.0",
        "lessThan": "4.2.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.1.0",
        "lessThan": "4.1.4",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.0.0",
        "lessThan": "4.0.9",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.11.0",
        "lessThan": "3.11.15",
        "versionType": "semver"
      }
    ],
    "packageName": "moodle",
    "collectionURL": "https://git.moodle.org",
    "defaultStatus": "unaffected"
  }
]