CVE-2022-30596: Cross-site Scripting in moodle
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77998%
CWE
Published
5/19/2022
Updated
9/12/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 4.0, < 4.0.1 | 4.0.1 |
moodle/moodle | composer | >= 3.11, < 3.11.7 | 3.11.7 |
moodle/moodle | composer | >= 3.10, < 3.10.11 | 3.10.11 |
moodle/moodle | composer | >= 3.9, < 3.9.14 | 3.9.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub patch shows the vulnerability was fixed by adding the s()
sanitization function to $summary->user->$extrafield in mod/assign/classes/output/renderer.php
. The absence of output escaping in the original code (CWE-79) made this function vulnerable. The commit message explicitly references escaping identity fields in the 'allocate marker form', and the affected code path handles user identity data display during marker allocation.