CVE-2022-0332 A flaw was found in Moodle in versions 3.11 to 3.11.4

CVE-2022-0332 A flaw was found in Moodle in versions 3.11 to 3.11.4

All Moodle installations on the affected server versions were patched to prevent exploitation. If you suspect your site may have been vulnerable, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.4. A malicious user could execute a request against one of your Moodle installations to change the site’s settings or add an administrator.
In versions 3.2.2 to 3.2.4, a cross-site scripting risk was identified that could lead to arbitrary code execution.

An unauthenticated user could access the ‘Add and remove groups’ page and add themselves to a group.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.2. A malicious user could execute a request against one of your Moodle installations to change the site’s settings or add an administrator.
In versions 3.2.2 to 3.2.4, a cross-site scripting risk was identified that could lead to arbitrary code execution.
An unauthenticated user could access the ‘Add and remove groups’ page and add themselves to a group.

Moodle was also found to be vulnerable to cross-site request forgery attacks in 3.2.4. A malicious user could execute a request against one of your Moodle installations to

1.1

- CVE-2022-0332
The Moodle team has confirmed a vulnerability in the 3.2.4, 3.2.2 and 3.2 versions of Moodle which allows for XSS attacks to be executed against all installations on the server using that version of Moodle.
- The vulnerability is related to the "Add and remove groups" functionality, which is not able to verify that any user is authorized to change their membership to or from groups, allowing attackers to add users without their knowledge or consent.
- To prevent exploitation via this vulnerability, please upgrade your Moodle installation immediately through a secure patching process (see below). If you are unable to upgrade your installation at this time, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

Installing Breach Monitor

If you suspect your site may have been vulnerable, consider installing a Breach Monitor add-on to get alerted immediately if your site is breached.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe