CVE-2022-46147 - OpenCVE

Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openedx	Xblock-drag-and-drop-v2

Configuration 1 [-]

cpe:2.3:a:openedx:xblock-drag-and-drop-v2:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a
https://github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864
https://github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0
https://github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-28T00:00:00

Updated: 2024-08-03T14:24:03.266Z

Reserved: 2022-11-28T00:00:00

Link: CVE-2022-46147

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-11-28T21:15:10.797

Modified: 2022-12-01T23:07:20.930

Link: CVE-2022-46147

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-46147", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T14:24:03.266Z", "dateReserved": "2022-11-28T00:00:00", "datePublished": "2022-11-28T00:00:00"}, "containers": {"cna": {"title": "Drag and Drop XBlock v2 has XSS Issues in Xblock Input Fields", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds."}], "affected": [{"vendor": "openedx", "product": "xblock-drag-and-drop-v2", "versions": [{"version": "< 3.0.0", "status": "affected"}]}], "references": [{"url": "https://github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q"}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864"}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a"}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "source": {"advisory": "GHSA-qv6c-367r-3w6q", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.266Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q", "tags": ["x_transferred"]}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864", "tags": ["x_transferred"]}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a", "tags": ["x_transferred"]}, {"url": "https://github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openedx:xblock-drag-and-drop-v2:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2A4EE44-EE74-4216-B863-E6F1DFA3F52D", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "Drag and Drop XBlock v2 implementa un problema de estilo de arrastrar y soltar, donde un alumno tiene que arrastrar elementos a zonas de una imagen de destino. Las versiones anteriores a la 3.0.0 son vulnerables a Cross-Site Scripting (XSS) en m\u00faltiples campos XBlock. Cualquier plataforma que haya implementado XBlock puede verse afectada. La versi\u00f3n 3.0.0 contiene un parche para este problema. No se conocen workarounds."}], "id": "CVE-2022-46147", "lastModified": "2022-12-01T23:07:20.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-28T21:15:10.797", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}