Vendor: Moodle
Product: Moodle
Vulnerable version: 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and earlier unsupported versions
Vulnerability type:
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Identifier (ID):
Vulnerability vector:
- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
- Severity (CVSSv3.1): 5.7 (medium)
- Base Vulnerability score (CVSS v4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
- Severity (CVSS v4.0): 6.0 (medium)
Description:
The vulnerability was identified in Moodle versions 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and older unsupported versions.
Insufficient sanitization while opening the equation editor leads to Stored XSS attack when editing another user's equation.
Discovered vulnerability allows an attacker to execute arbitrary JavaScript code in victim's browser.
Vulnerability status: Confirmed by vendor
Date of vulnerability detection: 22.02.24
Recommendations:
Update to versions 4.3.4, 4.2.7 and 4.1.10 or higher
Additional information:
Security Bulletin
Press-Release
Researcher: Aleksey Solovev (Positive Technologies)
Get in touch
will contact you shortly