CVE-2022-35651
Description
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.9, < 3.9.15 | 3.9.15 |
moodle/moodlePackagist | >= 3.11, < 3.11.8 | 3.11.8 |
moodle/moodlePackagist | >= 4.0, < 4.0.2 | 4.0.2 |
Affected products
3- osv-coords2 versions
>= 3.9.0, < 3.9.15+ 1 more
- (no CPE)range: >= 3.9.0, < 3.9.15
- (no CPE)range: >= 3.9, < 3.9.15
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied data in SCORM track details allows injection of arbitrary HTML/script and server-side request forgery."
Attack vector
An attacker crafts a specially crafted link containing malicious HTML/script payloads within SCORM track details. When a victim follows the link, the payload is stored and later executed in the victim's browser in the context of the vulnerable Moodle site [CWE-79]. The same insufficient sanitization also enables blind SSRF by injecting URLs that the server fetches without proper validation [CWE-918]. The attack requires no special privileges beyond the ability to supply SCORM track data [ref_id=1].
Affected code
The vulnerability exists in the SCORM module's handling of track details within Moodle. The specific functions/files are not named in the provided bundle, but the commit search for MDL-71921 contains the patch [ref_id=1].
What the fix does
The patch is referenced via Moodle's Git commit search for MDL-71921 [ref_id=1]. The fix addresses the insufficient sanitization of user-supplied data in SCORM track details. No further details about the specific code changes are available in the provided bundle. The advisory recommends applying the patch from the Moodle Git repository [ref_id=1].
Preconditions
- inputAttacker must be able to supply SCORM track data to the Moodle instance
- networkVictim must follow a specially crafted link
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-wwv7-h477-wrv7ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-35651ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6VghsaWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.