CVE-2022-40313 — Cross-site Scripting in Moodle

CWE-79 — Cross-site Scripting CWE-94 — Code Injection6 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.4%

top 41.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora

Timeline

PublishedSep 30

Latest updateAug 17

Description

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.7

Affected Packages4 packages

▶NVDmoodle/moodle3.9.0 — 3.9.17+2

▶Packagistmoodle/moodle3.9 — 3.9.17+2

▶CVEListV5moodle/moodle4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions

▶NVDfedoraproject/extra_packages8.0

Also affects: Fedora 35, 36

Patches

Patch: moodle.org ↗Patch: moodle.org ↗

🔴Vulnerability Details

GHSA

OpenNMS vulnerable to remote code execution↗2023-08-17

▶

OSV

Moodle Stored Cross-site Scripting and page denial of service↗2022-10-01

▶

GHSA

Moodle Stored Cross-site Scripting and page denial of service↗2022-10-01

▶

OSV

CVE-2022-40313: Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load↗2022-09-30

▶

CVEList

CVE-2022-40313: Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load↗2022-09-30

▶