CVE-2022-30596: Stored XSS Vulnerability in Moodle when Bulk Allocating Markers to Assignments

Recently, a flaw identified as CVE-2022-30596 was discovered in Moodle, the widely-used open-source Learning Management System (LMS). The vulnerability exposes users to a stored Cross Site Scripting (XSS) risk when allocating markers to assignments in bulk. A malicious actor could exploit this flaw to inject and run a potentially harmful script, potentially obtaining sensitive information or taking control of a user's environment. This article will discuss the details of CVE-2022-30596, including how it works, the affected versions and possible fixes.

Vulnerability Details

The stored XSS vulnerability (CVE-2022-30596) lies within Moodle's assignment marking workflow feature. More specifically, the flaw occurs when bulk allocating markers to assignments using ID numbers. The ID numbers displayed are not correctly sanitized, which allows an attacker to inject malicious JavaScript code in the form of an altered ID number. Since the injected code is stored within Moodle, it can be executed every time a user interacts with the affected resource.

Here's an example of an ID number that could be tampered with to exploit the vulnerability

<input type="text" name="markeridnumber" value="<script>alert('XSS')</script>">

With this exploit, the attacker could gain unauthorized access to a user's cookies, session tokens, or other sensitive information. Furthermore, it could lead to further attacks, compromising the user's system or the entire Moodle environment.

Official References & Exploit Details

To keep the Moodle community informed and aware of the situation, the Moodle development team has released an official advisory:

- Moodle Security Advisory: https://moodle.org/mod/forum/discuss.php?d=425910
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30596

The advisory provides a comprehensive understanding of the vulnerability, along with the affected Moodle versions, which are as follows:

Solution & Mitigation

The Moodle developers have been quick to address this security issue and have provided patches for all affected versions. They have released the following updated versions that fix the vulnerability:

Moodle 3.5.18

It is highly recommended that Moodle administrators running affected versions immediately update their systems to the latest secure version to mitigate the risk. If updating is not immediately possible, they can apply the released patches to secure their systems from this stored XSS vulnerability.

Conclusion

Ensuring the security and integrity of an LMS like Moodle is crucial, particularly when storing and handling sensitive information. Attackers continuously search for vulnerabilities to exploit, making it vital for developers and administrators to stay informed and proactive in addressing security issues. By applying the provided patches and staying up-to-date with the latest Moodle versions, users can continue to safely use and manage their courses.

Stay informed about CVE-2022-30596 and other Moodle security updates by subscribing to their security announcements forum: https://moodle.org/mod/forum/view.php?id=7128

Timeline

Published on: 05/18/2022 17:15:00 UTC
Last modified on: 06/13/2022 14:46:00 UTC