Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
    (CVE-2022-2986)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.16, 3.11.x prior to 3.11.9 or 4.0.x prior to 4.0.3. It is, therefore, affected by multiple vulnerabilities:

 - A vulnerable version of the Mustache template library included in Moodle. (CVE-2022-0323)

 - A Cross-Site Request Forgery (CSRF) vulnerability due to the lack of token check when enabling and disabled installed H5P libraries. (CVE-2022-2986)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

ID	Name	Product	Family	Severity
260711	Linux Distros Unpatched Vulnerability : CVE-2022-2986	Nessus	Misc.	high
113599	Moodle 4.0.x < 4.0.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
113598	Moodle 3.11.x < 3.11.9 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
113597	Moodle 3.9.x < 3.9.16 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2022-2986

high

Tenable Plugins

high

high

high

high