CVE-2024-28593

MEDIUM

Moodle 4.3.3 - Unauthenticated HTML Injection in Chat Activity

Title source: llm

Description

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."

References (3)

Core 3

Core References

Product

https://docs.moodle.org/403/en/Using_Chat

Third Party Advisory

https://gist.githubusercontent.com/minendie/4f23174687bc4d8eb7f727d9959b5399/raw/9ce573cebcce5521d9d6f826ab68f3780036b874/CVE-2024-28593.txt

Not Applicable

https://medium.com/%40lamscun/how-do-i-change-htmli-from-low-to-critical-your-email-box-is-safe-e7171efd88fe

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 33.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (2)

moodle/moodle 4.3.3

moodle/moodle 0Packagist

Published Mar 22, 2024

Tracked Since Feb 18, 2026