CVE-2022-35652 - OpenCVE

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171
https://bugzilla.redhat.com/show_bug.cgi?id=2106276
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
https://moodle.org/mod/forum/discuss.php?d=436459

History

No history.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2022-07-25T15:31:36

Updated: 2024-08-03T09:36:44.483Z

Reserved: 2022-07-12T00:00:00

Link: CVE-2022-35652

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-25T16:15:08.463

Modified: 2023-11-07T03:49:20.150

Link: CVE-2022-35652

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Moodle", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15"}]}], "descriptions": [{"lang": "en", "value": "An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-27T04:06:19", "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276"}, {"tags": ["x_refsource_MISC"], "url": "https://moodle.org/mod/forum/discuss.php?d=436459"}, {"tags": ["x_refsource_MISC"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171"}, {"name": "FEDORA-2022-81ce74b2dd", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/"}, {"name": "FEDORA-2022-7e7ce7df2e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "patrick@puiterwijk.org", "ID": "CVE-2022-35652", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Moodle", "version": {"version_data": [{"version_value": "Fixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=436459", "refsource": "MISC", "url": "https://moodle.org/mod/forum/discuss.php?d=436459"}, {"name": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171", "refsource": "MISC", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171"}, {"name": "FEDORA-2022-81ce74b2dd", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/"}, {"name": "FEDORA-2022-7e7ce7df2e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:36:44.483Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=436459"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171"}, {"name": "FEDORA-2022-81ce74b2dd", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/"}, {"name": "FEDORA-2022-7e7ce7df2e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/"}]}]}, "cveMetadata": {"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "cveId": "CVE-2022-35652", "datePublished": "2022-07-25T15:31:36", "dateReserved": "2022-07-12T00:00:00", "dateUpdated": "2024-08-03T09:36:44.483Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B77A5BD-2E62-402E-91AE-123454C5C5C6", "versionEndExcluding": "3.9.15", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "EED9C096-FAE5-4206-B901-1D2EDD67AE7B", "versionEndExcluding": "3.11.8", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D35119B-0B9B-4247-92F6-B788841A36F6", "versionEndExcluding": "4.0.2", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information."}, {"lang": "es", "value": "Se ha encontrado un problema de redireccionamiento abierto en Moodle debido a un saneamiento inapropiado de los datos suministrados por el usuario en la funci\u00f3n de auto-inicio de sesi\u00f3n m\u00f3vil. Un atacante remoto puede crear un enlace que conlleva a un sitio web confiable, sin embargo, cuando hace clic, redirige a las v\u00edctimas a una URL/dominio arbitrario. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad puede permitir a un atacante remoto llevar a cabo un ataque de phishing y robar informaci\u00f3n potencialmente confidencial"}], "id": "CVE-2022-35652", "lastModified": "2023-11-07T03:49:20.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-25T16:15:08.463", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276"}, {"source": "patrick@puiterwijk.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/"}, {"source": "patrick@puiterwijk.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=436459"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}]}