CVE-2022-45150 - Reflected XSS Vulnerability in Moodle’s Policy Tool — Analysis, Exploit, and How To Stay Safe

Moodle is one of the world’s most popular learning management systems, widely used by schools, universities, and companies. In late 2022, a security issue was discovered—CVE-2022-45150—that opened the doors to a dangerous cross-site scripting (XSS) attack if not patched.

Let’s dive into what happened, how attackers could take advantage of it, and what you should do to protect yourself and your Moodle servers.

What is CVE-2022-45150?

In simple terms, CVE-2022-45150 is a security flaw found in Moodle’s Policy Tool. The vulnerability is a reflected cross-site scripting (XSS) bug. Here’s what that means:

- Reflected XSS happens when user-supplied input is immediately (or "reflected") in a webpage and not properly sanitized. This could be something as simple as a query parameter in a URL.
- Sanitization is the process of cleaning input, making sure that malicious scripts or HTML are stripped out before the input is used.

Because Moodle didn’t properly sanitize some data in the Policy Tool, an attacker could trick a user into clicking a malicious link. If the user is logged into Moodle and clicks it, any script code in the link could run in the user’s browser with the same permissions as the user.

Reference:
- Moodle Security Advisory: MSA-22-0039
- NVD Entry: CVE-2022-45150

Where Was the Vulnerability?

The issue was present in the Policy Tool, a part of Moodle that presents privacy agreements or site policies to users. A query parameter to this page was not cleaned up correctly before being reflected back onto the web page.

The relevant buggy line (pseudo-code for demonstration) looked something like

echo $_GET['returnurl'];

This line echoes whatever is passed in the returnurl variable from the URL, without sanitization.

Craft a Malicious Link

The attacker creates a URL pointing to the vulnerable Moodle install with a malicious script injected into the returnurl parameter:

`

https://moodle.example.com/admin/tool/policy/index.php?returnurl=javascript:alert('Hacked!')

`text

https://moodle.example.com/admin/tool/policy/index.php?returnurl=%3Cscript%3Ealert('XSSed!')%3C%2Fscript%3E

Trick the User

The attacker sends this link (maybe via email or instant message) to a logged-in Moodle user—like a teacher or admin.

Script Executes

When the victim clicks the link, the page reflects the returnurl value unsanitized into the page, so the script runs in the context of the Moodle website.

What could an attacker do?

- Steal cookies: Stealing session or authentication cookies, which can be used to impersonate the user.

Deface pages: Show students or staff offensive or misleading messages.

Who’s at risk:
Any logged-in user can be targeted. The attacker does not need to be logged in, just knows or guesses the URL path of the affected page.

Moodle 3.9.19

Sanitization now in place:

The code now uses Moodle’s proper escaping functions

echo s($returnurl); // "s()" is Moodle's safe output function.

Patch reference:
- Moodle git commit

Always run the latest stable version of Moodle.

- Download updates from moodle.org.

CVE-2022-45150 is a dangerous, but now patched, reflected XSS flaw in Moodle’s Policy Tool.

- It allowed attackers to inject code into victims’ browsers, potentially stealing data or controlling accounts.

Always be wary of odd links, even from people you know.

For the nerds: want to play with a test page? See OWASP XSS game to learn how these attacks work.

Timeline

Published on: 11/23/2022 15:15:00 UTC
Last modified on: 01/31/2023 20:12:00 UTC