CVE-2022-35653
Moodle LTI module reflected XSS risk
Description
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.
How to fix CVE-2022-35653
To remediate CVE-2022-35653, upgrade the affected package to a fixed version below.
- —upgrade to 3.9.15 or later
- —upgrade to 4.0.2 or later
Is CVE-2022-35653 being exploited?
Likely — EPSS is 83.6%, placing CVE-2022-35653 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.1, >= 4.0.1, < 4.0.2
- >= 4.0, < 4.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |