CVE-2022-35652 — Open Redirect in Moodle

CWE-601 — Open Redirect4 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 40.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora

Timeline

PublishedJul 25

Latest updateJul 26

Description

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDmoodle/moodle3.9.0 — 3.9.15+2

▶Packagistmoodle/moodle4.0 — 4.0.2+2

▶CVEListV5moodle/moodleFixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15

Also affects: Fedora 35, 36

🔴Vulnerability Details

GHSA

Moodle Open redirect risk in mobile auto-login feature↗2022-07-26

▶

OSV

Moodle Open redirect risk in mobile auto-login feature↗2022-07-26

▶

OSV

CVE-2022-35652: An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature↗2022-07-25

▶