First published: Tue Jul 12 2022(Updated: )
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org
Affected Software | Affected Version | How to fix |
---|---|---|
Moodle Moodle | >=3.9.0<3.9.15 | |
Moodle Moodle | >=3.11.0<3.11.8 | |
Moodle Moodle | >=4.0.0<4.0.2 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
composer/moodle/moodle | >=3.9<3.9.15 | 3.9.15 |
composer/moodle/moodle | >=3.11<3.11.8 | 3.11.8 |
composer/moodle/moodle | >=4.0<4.0.2 | 4.0.2 |
>=3.9.0<3.9.15 | ||
>=3.11.0<3.11.8 | ||
>=4.0.0<4.0.2 | ||
=35 | ||
=36 | ||
redhat/moodle | <4.0.2 | 4.0.2 |
redhat/moodle | <3.11.8 | 3.11.8 |
redhat/moodle | <3.9.15 | 3.9.15 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-35652 is an open redirect vulnerability in Moodle that allows remote attackers to redirect users to arbitrary URLs/domains.
CVE-2022-35652 occurs due to improper sanitization of user-supplied data in the mobile auto-login feature of Moodle, allowing attackers to create malicious links that redirect users to arbitrary destinations.
The severity of CVE-2022-35652 is medium, with a CVSS score of 6.1.
Moodle versions 3.9.0 to 3.9.15, 3.11.0 to 3.11.8, and 4.0.0 to 4.0.2 are affected by CVE-2022-35652.
To mitigate the CVE-2022-35652 vulnerability in Moodle, it is recommended to upgrade to the latest patched version. For Moodle versions affected by the vulnerability, upgrade to 3.9.16, 3.11.9, or 4.0.3, or apply the patches provided by Moodle.