CVE CyberSecurity Database News

CVE-2022-45151 - Stored-XSS vulnerability discovered in Moodle "social" user profile fields: Exploit details, code snippet, and original references

Poster -

A stored Cross-Site Scripting (XSS) vulnerability (CVE-2022-45151) has been discovered in the popular e-learning platform, Moodle. This vulnerability exists due to insufficient sanitization of user-supplied data in several "social" user profile fields, such as Skype ID, AIM ID, and other contact information. A potential attacker could inject and execute arbitrary HTML and script code in a user's browser in the context of the vulnerable website. In this post, we'll discuss the exploit details, provide a code snippet, and point to original references.

Moodle version affected: <=3.11.3

The stored-XSS vulnerability could allow an attacker to inject malicious script code or HTML within the "social" user profile fields. This code will be stored in the user's profile data and can be triggered whenever the profile is accessed or displayed on the vulnerable website. This can lead to various security risks, such as stealing user credentials, browser session hijacking, or even redirecting users to malicious websites.

The vulnerability exists due to inadequate input sanitization and output encoding of user-supplied content within the "social" user profile fields.

Code Snippet

Here's an example of a simple injected JavaScript payload that an attacker could use to exploit the vulnerability:

<script>alert('XSS Vulnerability');</script>

An attacker can inject this code snippet into one of the vulnerable "social" profile fields (e.g., Skype ID):

Skype ID: <script>alert('XSS Vulnerability');</script>

When an affected user or administrator views the attacker's profile, the injected script will be executed in their browser, potentially compromising their user session or sensitive data.

Register or log in as an attacker on the vulnerable Moodle website.

2. Navigate to the "Edit Profile" page (e.g., https://vulnerable-moodle-site/user/edit.php?id=<user_id>&course=1).
3. Inject the malicious script code (e.g., <script>alert('XSS Vulnerability');</script>) into one or more vulnerable "social" user profile fields (e.g., Skype ID, AIM ID).

Encourage affected users or administrators to view the attacker's user profile.

6. The injected script code will be executed in the user's browser context when the attacker's profile is viewed, leading to a potential compromise of their session or sensitive data.

Mitigation

Users should immediately update Moodle to the latest version, which contains patches for this vulnerability. Moodle administrators should also ensure that input sanitization and output encoding are correctly implemented across the platform to minimize the risk of future vulnerabilities.

Original References

- Moodle Tracker: MDL-73033 - Stored XSS RCE in users' social contact fields
- Moodle Security Announcements: Moodle 3.11.4, 3.10.7 and 3.9.10 security releases

In conclusion, CVE-2022-45151 is a severe stored-XSS vulnerability that affects several "social" user profile fields in Moodle. Ensuring that your Moodle installation is up-to-date, enforcing proper input sanitization and output encoding, and educating users on security best practices can help prevent this and other vulnerabilities from being exploited.

Timeline

Published on: 11/23/2022 15:15:00 UTC
Last modified on: 01/31/2023 20:05:00 UTC