CVE-2022-50943 Overview
CVE-2022-50943 is a reflected cross-site scripting (XSS) vulnerability in Moodle LMS 4.0. The flaw exists in course/search.php, where the application reflects the search request parameter into the response without proper output encoding. Unauthenticated attackers can craft URLs containing JavaScript payloads that execute in a victim's browser when the link is opened. Successful exploitation allows session cookie theft, account takeover within the learning management system, and arbitrary actions performed in the victim's authenticated context. The issue is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the browsers of authenticated Moodle users, enabling session hijacking and impersonation of students, teachers, and administrators.
Affected Products
- Moodle LMS 4.0
- Deployments exposing course/search.php to untrusted users
- Self-hosted Moodle instances on the affected branch
Discovery Timeline
- 2026-05-10 - CVE-2022-50943 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2022-50943
Vulnerability Analysis
The vulnerability resides in the course search functionality of Moodle LMS 4.0. The course/search.php endpoint accepts a search query parameter and renders its value back into the HTML response. The application fails to apply contextual output encoding before placing user input into the page. An attacker who crafts a malicious URL can inject HTML and JavaScript that the victim's browser parses and executes in the origin of the Moodle deployment.
Because the vulnerable endpoint is reachable without authentication, attackers can stage payloads and distribute them through email, forum posts, or social engineering. When an authenticated user follows the link, the injected script runs with that user's privileges in the Moodle session.
The Exploit Prediction Scoring System (EPSS) probability is 0.109%. A proof of concept is publicly available through Exploit-DB #51115 and the VulnCheck Advisory on Moodle.
Root Cause
The root cause is missing sanitization and output encoding of the search parameter before it is reflected into the HTML response by course/search.php. User-controlled input is treated as trusted markup rather than data, allowing breakout from the intended text context into script execution.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker constructs a URL pointing to the vulnerable Moodle host with a JavaScript payload supplied through the search parameter. The victim must open the crafted link in an authenticated session. The payload then executes in the victim's browser, accessing cookies, document content, and any APIs available to the session. Refer to the VulnCheck Advisory on Moodle for technical details and a reproduction recipe.
Detection Methods for CVE-2022-50943
Indicators of Compromise
- HTTP requests to course/search.php containing URL-encoded <script>, onerror=, onload=, or javascript: sequences in the search parameter
- Web server access logs showing unusually long or encoded search query strings from external referrers
- Outbound requests from user browsers to unfamiliar domains immediately after visiting course/search.php
- Reports of unexpected session terminations or session reuse from new IP addresses following a phishing campaign
Detection Strategies
- Inspect web server and application logs for search parameter values containing HTML tags, event handlers, or encoded script markers
- Deploy a web application firewall (WAF) rule that flags reflected XSS patterns on the Moodle course search endpoint
- Correlate authenticated Moodle session activity with suspicious referrer URLs containing course/search.php?search=
- Hunt for anomalous administrator or teacher actions occurring shortly after a search request with attacker-controlled input
Monitoring Recommendations
- Forward Moodle web server logs to a centralized logging platform and alert on payloads matching XSS signatures
- Monitor for new or modified Moodle user roles, password changes, and API token generation following suspicious requests
- Track browser-side errors and Content Security Policy (CSP) violation reports if CSP is enabled
How to Mitigate CVE-2022-50943
Immediate Actions Required
- Upgrade Moodle LMS 4.0 to the latest supported release that addresses the XSS in course/search.php
- Restrict access to the Moodle instance to authenticated users where business requirements allow
- Force session invalidation for users who may have followed suspicious links to course/search.php
- Communicate phishing awareness guidance to staff and students using the platform
Patch Information
Moodle maintains source code at the Moodle Git Repository and distributes releases through the Moodle Official Site. Administrators should apply the latest stable update for the 4.0 branch or move to a supported successor release. Validate that course/search.php properly encodes the search parameter on output after upgrading.
Workarounds
- Deploy a WAF rule that blocks requests to course/search.php containing HTML tags, JavaScript event handlers, or javascript: URIs in the search parameter
- Enable a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Set the HttpOnly and Secure flags on Moodle session cookies to reduce the impact of script-based cookie theft
- Limit network exposure of the Moodle instance to known IP ranges or VPN users until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
