CVE-2022-35652 : An open redirect issue was found in Moodle due to improper sanitization of user-

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Published 2022-07-25 16:15:08

Updated 2022-12-21 15:01:20

Source Fedora Project

View at NVD, CVE.org

Vulnerability category: Open redirect

Products affected by CVE-2022-35652

Moodle » Moodle
Versions from including (>=) 3.9.0 and before (<) 3.9.15
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle
Versions from including (>=) 4.0.0 and before (<) 4.0.2
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle
Versions from including (>=) 3.11.0 and before (<) 3.11.8
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-35652

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-35652

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-35652

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Assigned by:
- nvd@nist.gov (Primary)
- patrick@puiterwijk.org (Secondary)

References for CVE-2022-35652

https://bugzilla.redhat.com/show_bug.cgi?id=2106276

2106276 – (CVE-2022-35652, MSA-22-0018) CVE-2022-35652 moodle: Open redirect risk in mobile auto-login feature
Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/

[SECURITY] Fedora 35 Update: moodle-3.11.8-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://moodle.org/mod/forum/discuss.php?d=436459

Moodle.org: MSA-22-0018: Open redirect risk in mobile auto-login feature
Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171

Official Moodle git projects - moodle.git/search
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/

[SECURITY] Fedora 36 Update: moodle-3.11.8-1.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-35652

Products affected by CVE-2022-35652

Exploit prediction scoring system (EPSS) score for CVE-2022-35652

CVSS scores for CVE-2022-35652

CWE ids for CVE-2022-35652

References for CVE-2022-35652