CVE-2022-45151
Description
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.11, < 3.11.11 | 3.11.11 |
moodle/moodlePackagist | >= 4.0, < 4.0.5 | 4.0.5 |
Affected products
3- osv-coords2 versions
>= 3.11.0, < 3.11.11+ 1 more
- (no CPE)range: >= 3.11.0, < 3.11.11
- (no CPE)range: >= 3.11, < 3.11.11
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied data in social user profile fields allows for HTML and script injection."
Attack vector
An attacker can inject arbitrary HTML and script code into several 'social' user profile fields. This code is then executed in the browser of any user viewing the profile. The vulnerability exists due to insufficient sanitization of this user-supplied data [CWE-79].
Affected code
The vulnerability resides in the handling of user-supplied data within several 'social' user profile fields in Moodle. The exact code paths are not detailed in the provided references, but the fix is available via a git commit related to MDL-76131 [ref_id=1].
What the fix does
The patch addresses the vulnerability by implementing proper sanitization for user-supplied data within the social profile fields. This ensures that any HTML or script code injected by an attacker is neutralized before being displayed to other users, preventing cross-site scripting attacks. The specific commit addressing this issue can be found via the provided git reference [ref_id=1].
Preconditions
- inputUser-supplied data in social profile fields.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-xv72-6pgh-cjj8ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-45151ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSABghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.