CVE-2022-35649 — Code Injection in Moodle

CWE-94 — Code Injection CWE-20 — Improper Input Validation4 documents3 sources

Severity

9.8CRITICALNVD

EPSS

7.5%

top 8.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora

Timeline

PublishedJul 25

Latest updateJul 26

Description

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDmoodle/moodle3.9.0 — 3.9.15+2

▶Packagistmoodle/moodle3.9 — 3.9.15+2

▶CVEListV5moodle/moodleFixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15

Also affects: Fedora 35, 36

Patches

Patch: git.moodle.org ↗Patch: git.moodle.org ↗

🔴Vulnerability Details

GHSA

Moodle PostScript Code Injection↗2022-07-26

▶

OSV

Moodle PostScript Code Injection↗2022-07-26

▶

OSV

CVE-2022-35649: The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code↗2022-07-25

▶