Search for vulnerabilities
Vulnerability details: VCID-34x3-xa2r-dqhm
Vulnerability ID VCID-34x3-xa2r-dqhm
Aliases CVE-2022-2986
GHSA-xjr3-fwp9-9g96
Summary Moodle Cross-Site Request Forgery (CSRF) Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 8.8 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
generic_textual HIGH http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
epss 0.00211 https://api.first.org/data/v1/epss?cve=CVE-2022-2986
epss 0.0024 https://api.first.org/data/v1/epss?cve=CVE-2022-2986
cvssv3.1 8.8 https://bugzilla.redhat.com/show_bug.cgi?id=2121360
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=2121360
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xjr3-fwp9-9g96
cvssv3.1 8.8 https://github.com/moodle/moodle
generic_textual HIGH https://github.com/moodle/moodle
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-2986
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-2986
Reference id Reference type URL
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
https://api.first.org/data/v1/epss?cve=CVE-2022-2986
https://bugzilla.redhat.com/show_bug.cgi?id=2121360
https://github.com/moodle/moodle
https://nvd.nist.gov/vuln/detail/CVE-2022-2986
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
GHSA-xjr3-fwp9-9g96 https://github.com/advisories/GHSA-xjr3-fwp9-9g96
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2121360
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-2986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.43788
EPSS Score 0.00211
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:22:41.997787+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-xjr3-fwp9-9g96/GHSA-xjr3-fwp9-9g96.json 36.1.3