Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6285 MSA-22-0030: Reflected XSS risk in policy tool 2 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-45150 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=440770&parent=1773538 Comment: CVSS (Max): 6.1 CVE-2022-45150 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-22-0030: Reflected XSS risk in policy tool The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions Versions fixed: 4.0.5, 3.11.11 and 3.9.18 Reported by: Eric Merrill CVE identifier: CVE-2022-45150 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091 Tracker issue: MDL-76091 Reflected XSS risk in policy tool - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY4lpp8kNZI30y1K9AQiQzhAAmvJuekYWeyuvR9G+UT+r2utq6JT0ulVB 6WgLELkf1Ebz10ieDq38uH5d+Jxn9sRIPIuTry7QwNb/hhmlQIUvgJpcSVJdPuyX y4V16HfWMTJqGfXHoQFeJJpMHCey6T90q0gicEjZc44gHwj9cFuWm6Al4iFWZkt4 6aPcZ0vKpusK+/RMtvVv+1Fio9bkC0DSv5NEXarwDTyr3NOzg5EJpaTZyh/jQv1+ 4s/e4n+MRvAZLHtBhgxjpWi392zEn59qLU9NtDdvIp0iHdsG82QT3e6i6wI5Ee0y XdCy9x/cntayD8AfKIDBvtJHO9vuWQ6kk42+63Qg2giiCBcpyhg512VoavR6jIEQ NfvfQqb8CuXBNbiI0DWPYlw6HBgosLGqwuknWRY7h+zDxqyKv2g2UZq1rhzXdBKa FJ3eVrKk3cIxBzlyDTcvApc1e+1Hndq34Bz2zGpObkARO6g7ItQ4pnoRzfZPWCZU L4tsTEtYuT9us/Q0hbLc3eCCoaq2GFGAIQHE50v0noNubE0eNa/WT/2KraQNy3Rw 6SUNTIXrD7Ukm4HCLAfa4o+g5C3A/JfyK8RC6VrQN3hS2WV340P2+oGvYtC/DXo/ usMG8h8VBTXlPLAmPvN69zqoSbyuVrU5C7DfnqIkD+uDz5UuEVAT34Nj/EMjtgEt 7ECXN6TnBlI= =/HeZ -----END PGP SIGNATURE-----