PT-2024-17: Stored Cross-Site Scripting (Stored XSS) in Moodle

MEDIUM
(6.0) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

What are the security threats on your network?

Check your traffic-for free
Request pilot

Vendor: Moodle

Product: Moodle

Vulnerable version: 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and earlier unsupported versions

Vulnerability type:

- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Identifier (ID):

BDU:2024-04202

CVE-2024-33997

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

- Severity (CVSSv3.1): 5.7 (medium)

- Base Vulnerability score (CVSS v4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

- Severity (CVSS v4.0): 6.0 (medium)

Description:

The vulnerability was identified in Moodle versions 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and older unsupported versions.

Insufficient sanitization while opening the equation editor leads to Stored XSS attack when editing another user's equation.

Discovered vulnerability allows an attacker to execute arbitrary JavaScript code in victim's browser.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 22.02.24

Recommendations:

Update to versions 4.3.4, 4.2.7 and 4.1.10 or higher

Additional information:

Security Bulletin
Press-Release

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:
CVE-2024-33997
BDU:2024-04202
Vendor:
Moodle
Vulnerable product:
Moodle

Get in touch

Fill in the form and our specialists
will contact you shortly