CVE-2023-46858: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

October 29, 2023 (updated November 7, 2023)

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states “Some forms of rich content [are] used by teachers to enhance their courses … admins and teachers can post XSS-capable content, but students can not.”

References

docs.moodle.org/403/en/Security_FAQ
gist.github.com/Abid-Ahmad/12d2b4878eb731e8871b96b7d55125cd
nvd.nist.gov/vuln/detail/CVE-2023-46858
packetstormsecurity.com/files/175277/Moodle-4.3-Cross-Site-Scripting.html

Code Behaviors & Features

Detect and mitigate CVE-2023-46858 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →