Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. CVE-2023-35653: Moodle LTI module Reflected XSS

Author: Government Digital Service (GDS)

CVE-2023-35653: Moodle LTI module Reflected XSS

What this means

CVE-2023-35653 is a Reflected Cross-Site Scripting (XSS) issue identified in the Learning Tools Interoperability (LTI) module of Moodle.

This issue arises from inadequate sanitisation of user-supplied data. This allows attackers to craft malicious links that, when followed by a user, execute arbitrary HTML or JavaScript code in the user’s browser within the context of the vulnerable Moodle site.

Why this is a problem

If successful, an XSS attack can severely impact websites and web applications. An attack can compromise user accounts and trick users into executing malicious code.

This can lead to:

  • unauthorised actions – attackers can perform actions on behalf of the user within the Moodle environment
  • credential theft – attackers can create convincing phishing scenarios

How to check if the problem is there

An administrator can check for this vulnerability by:

  • verifying the Moodle version
  • testing for the vulnerability

Verifying the Moodle version

Determine the version of Moodle currently in use. The vulnerability affects the following versions:

  • 4.0 to 4.0.1
  • 3.11 to 3.11.7
  • 3.9 to 3.9.14
  • earlier unsupported versions

If the Moodle installation falls within this range, it may be vulnerable.

Testing for the vulnerability

Conduct security assessments focusing on the LTI module to identify any Reflected XSS vulnerabilities.

You can do this by:

  • using security tools designed to detect XSS issues
  • manually testing by inputting malicious scripts to see if they are executed

How to fix this

To mitigate against this vulnerability, an administrator should:

  • update Moodle
  • apply security patches
  • disable the LTI Module (as a temporary measure)

Updating Moodle

Upgrade to the latest stable version of Moodle. The vulnerability has been addressed in the following versions:

  • 4.0.2
  • 3.11.8
  • 3.9.15

Updating to these versions or later will mitigate the risk associated with CVE-2023-35653.

Applying security patches

If a full upgrade is not feasible, apply any available security patches that address this specific vulnerability. Check Moodle’s official resources for patch information.

Disabling the LTI Module

As a temporary workaround, consider disabling the LTI module until the system can be updated or patched.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now