CVE-2022-45150
Description
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user's browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.9, < 3.9.18 | 3.9.18 |
moodle/moodlePackagist | >= 3.11, < 3.11.11 | 3.11.11 |
moodle/moodlePackagist | >= 4.0, < 4.0.5 | 4.0.5 |
Affected products
3- osv-coords2 versions
>= 3.9.0, < 3.9.18+ 1 more
- (no CPE)range: >= 3.9.0, < 3.9.18
- (no CPE)range: >= 3.9, < 3.9.18
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied data in the policy tool allows for arbitrary code execution."
Attack vector
An attacker can craft a malicious link containing arbitrary HTML and script code. When a victim clicks this link, the script executes within the context of the vulnerable website, leading to a reflected cross-site scripting attack [CWE-79]. This can be used to access sensitive information or modify web pages [ref_id=1].
Affected code
The vulnerability resides in the policy tool, specifically in how it handles user-supplied data. Insufficient sanitization of this input allows for the injection of malicious scripts. The provided reference points to a commit in the Moodle Git repository that addresses this issue [ref_id=1].
What the fix does
The patch addresses the vulnerability by implementing proper input sanitization for user-supplied data within the policy tool. This ensures that any HTML or script code embedded in user input is neutralized before being rendered in the browser, preventing the execution of malicious scripts and mitigating the cross-site scripting risk [ref_id=1].
Preconditions
- inputThe attacker must provide a specially crafted link containing malicious HTML and script code.
- networkThe victim must be tricked into opening the crafted link.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-6gx2-g773-hv9hghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-45150ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSABghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.