CVE Vulnerability

CVE-2022-46147

Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/openedx/xblock-drag-and-drop-v2/security/advisories/GHSA-qv6c-367r-3w6q Patch Third Party Advisory
https://github.com/openedx/xblock-drag-and-drop-v2/pull/295#issuecomment-1277693864 Exploit Patch
https://github.com/openedx/xblock-drag-and-drop-v2/releases/tag/v3.0.0 Patch Release Notes
https://github.com/openedx/xblock-drag-and-drop-v2/commit/68887d1b4a44325d2de7573d450e41129ba98b1a Patch Release Notes
Configurations

Configuration 1

cpe:2.3:a:openedx:xblock-drag-and-drop-v2:*:*:*:*:*:*:*:*
Information

Published : 2022-11-28 09:15

Updated : 2022-12-01 11:07

NVD link : CVE-2022-46147

Mitre link : CVE-2022-46147

Products Affected
No products.
CWE
CWE-79