CVE-2022-35653

Vulnerability

Description

CVE-2022-35653 is a reflected cross-site scripting (XSS) vulnerability found in the LTI (Learning Tools Interoperability) module of Moodle, the open-source learning platform. The root cause is insufficient sanitization of user-supplied data within this module, allowing an attacker to inject arbitrary HTML and JavaScript code via a crafted URL [1].

Attack

Vector and Prerequisites

The vulnerability is reflected, meaning the malicious payload is embedded in a URL and executed only when the victim clicks the specially crafted link. No authentication is required to trigger the flaw, as the issue lies in pre-authentication handling of input [1]. The attacker does not need special network access beyond being able to deliver the link, which could be done through email, forums, or other mediums. The vulnerability does not impact authenticated users, meaning that once a user logs in, the vulnerable code path is no longer reachable [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the victim's browser within the context of the Moodle site. This can lead to theft of sensitive information (e.g., session tokens, cookies), alteration of page content, phishing attacks (by presenting fake login forms), and drive-by downloads of malware [1].

Mitigation

Status

The issue was addressed in Moodle by the patch referenced in commit MDL-72299 [1]. Administrators are advised to update to the latest Moodle version that includes this fix. Fedora package announcements [3][4] also reference the advisory, confirming that updates are available. No evidence of in-the-wild exploitation or inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.