A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.
Published 2022-11-23 15:15:11
Updated 2023-01-31 20:16:27
Source Elastic
View at NVD,   CVE.org
Vulnerability category: Cross-site request forgery (CSRF)

Exploit prediction scoring system (EPSS) score for CVE-2022-45149

0.21%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-45149

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.4
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
2.8
2.5
NIST

CWE ids for CVE-2022-45149

  • The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
    Assigned by:
    • bressers@elastic.co (Secondary)
    • nvd@nist.gov (Primary)

References for CVE-2022-45149

Products affected by CVE-2022-45149

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!