Operating System:

[WIN][LINUX]

Published:

02 December 2022

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2022.6285 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6285
              MSA-22-0030: Reflected XSS risk in policy tool
                              2 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Moodle
Publisher:         Moodle
Operating System:  Windows
                   Linux variants
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-45150  

Original Bulletin: 
   https://moodle.org/mod/forum/discuss.php?d=440770&parent=1773538

Comment: CVSS (Max):  6.1 CVE-2022-45150 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

MSA-22-0030: Reflected XSS risk in policy tool

The return URL in the policy tool required extra sanitizing to prevent a
reflected XSS risk.

Severity/Risk:     Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier
                   unsupported versions
Versions fixed:    4.0.5, 3.11.11 and 3.9.18
Reported by:       Eric Merrill
CVE identifier:    CVE-2022-45150
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091
Tracker issue:     MDL-76091 Reflected XSS risk in policy tool

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY4lpp8kNZI30y1K9AQiQzhAAmvJuekYWeyuvR9G+UT+r2utq6JT0ulVB
6WgLELkf1Ebz10ieDq38uH5d+Jxn9sRIPIuTry7QwNb/hhmlQIUvgJpcSVJdPuyX
y4V16HfWMTJqGfXHoQFeJJpMHCey6T90q0gicEjZc44gHwj9cFuWm6Al4iFWZkt4
6aPcZ0vKpusK+/RMtvVv+1Fio9bkC0DSv5NEXarwDTyr3NOzg5EJpaTZyh/jQv1+
4s/e4n+MRvAZLHtBhgxjpWi392zEn59qLU9NtDdvIp0iHdsG82QT3e6i6wI5Ee0y
XdCy9x/cntayD8AfKIDBvtJHO9vuWQ6kk42+63Qg2giiCBcpyhg512VoavR6jIEQ
NfvfQqb8CuXBNbiI0DWPYlw6HBgosLGqwuknWRY7h+zDxqyKv2g2UZq1rhzXdBKa
FJ3eVrKk3cIxBzlyDTcvApc1e+1Hndq34Bz2zGpObkARO6g7ItQ4pnoRzfZPWCZU
L4tsTEtYuT9us/Q0hbLc3eCCoaq2GFGAIQHE50v0noNubE0eNa/WT/2KraQNy3Rw
6SUNTIXrD7Ukm4HCLAfa4o+g5C3A/JfyK8RC6VrQN3hS2WV340P2+oGvYtC/DXo/
usMG8h8VBTXlPLAmPvN69zqoSbyuVrU5C7DfnqIkD+uDz5UuEVAT34Nj/EMjtgEt
7ECXN6TnBlI=
=/HeZ
-----END PGP SIGNATURE-----