What is CVE-2022-35653?

A medium-severity reflected XSS vulnerability exists in the LTI module of Moodle, affecting multiple versions. Organizations must prioritize patching to mitigate risks associated with potential phishing and data theft.

What is the severity of CVE-2022-35653?

CVE-2022-35653 has a severity rating of MEDIUM with a CVSS base score of 6.1.

CVE-2022-35653 | Medium Vulnerability in Moodle LTI Module

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in the context of the vulnerable website to steal potentially sensitive information, change the appearance of the web page, perform phishing, and drive-by-download attacks. This vulnerability does not impact authenticated users.

The severity of this vulnerability is classified as medium with a CVSS score of 6.1. Organizations should prioritize patching immediately to mitigate risks associated with exploitation. The attack vector is network-based, requiring user interaction, which could lead to a range of malicious activities if exploited.

Currently, there is no known public exploit available for this vulnerability, indicating that while the risk is present, exploitation attempts may not be imminent. Organizations should remain vigilant and monitor for any emerging threats.

As this vulnerability affects multiple versions of Moodle and associated products, it is imperative for organizations using these technologies to assess their systems for exposure and apply the necessary updates.

Vulnerability Details

The vulnerability identified as CVE-2022-35653 is a reflected XSS issue in the LTI module of Moodle, which allows attackers to execute arbitrary code in the user's browser. The CVSS score of 6.1 indicates a medium severity level, highlighting the potential impact on confidentiality and integrity.

Affected versions include Moodle versions from 3.9.0 to 3.9.14, 3.11.0 to 3.11.8, and all versions of 4.0.0 and 4.0.1. Organizations should reference the official patches to ensure their systems are updated accordingly.

Technical Analysis

The root cause of this vulnerability lies in the insufficient sanitization of user-supplied data within the LTI module. The attack vector is network-based, requiring user interaction through following a malicious link. The attack complexity is low, and privileges required are none, making it accessible to a wide range of attackers.

The confidentiality and integrity impacts are both classified as low, indicating that while sensitive data could be exposed, the overall system availability remains unaffected.

Risk & Impact Analysis

Risk to organizations includes potential data theft, phishing attacks, and damage to brand reputation through malicious exploits. The blast radius could extend to users interacting with the LTI module, making it critical to address this vulnerability promptly.

Given the CVSS score of 6.1 and the absence of known exploits, organizations should address this vulnerability in their priority patch cycle. Continuous monitoring is recommended to detect any exploitation attempts.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

Affected versions include Moodle from 3.9.0 to 3.9.14, 3.11.0 to 3.11.8, and 4.0.0 and 4.0.1. Organizations should ensure that all instances of these versions are updated to mitigate the vulnerability.

Mitigation & Remediation

Organizations should immediately apply the vendor patches available for Moodle to remediate this vulnerability. For those unable to apply patches immediately, consider implementing input validation and output encoding as temporary workarounds to mitigate risk.

Regular security assessments, including penetration testing should be conducted to identify weaknesses in systems, ensuring the implementation of best practices in web security.

Detection Guidance

Organizations should monitor logs for unusual activities, especially concerning user interactions with the LTI module. Detection of unexpected submissions or script execution attempts can indicate potential exploitation.

AppSecure Threat Intelligence Insight

This vulnerability represents a growing trend of reflected XSS issues in web applications, highlighting the need for robust input validation mechanisms. Security teams should adopt a proactive approach by implementing comprehensive security measures, including regular vulnerability management programs and engaging in continuous security assessments.

By leveraging insights from threat intelligence, organizations can better understand the evolving threat landscape and tailor their defenses accordingly. It is essential to stay informed on emerging vulnerabilities and their implications on security posture.

Overall, this vulnerability serves as a reminder of the importance of secure coding practices and the necessity of regular security training for developers.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-35653: Medium Vulnerability in Moodle LTI Module