CVE-2022-46147 HIGH

CVE-2022-46147: Drag and Drop XBlock v2 has XSS Issues in Xblock Input Fields

Vendor Openedx

Product xblock-drag-and-drop-v2

Weakness CWE-79 · XSS

Published November 28, 2022

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted. Version 3.0.0 contains a patch for this issue. There are no known workarounds.

Key dates

02Disclosure timeline

November 28, 2022 CVE published

April 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-46147 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-25078 WordPress Google Earth Embed plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-1164 Brizy – Page Builder <= 2.4.43 - Authenticated(Contributor+) Stored Cross-Site Scripting via Form Functionality CVE-2024-31091 WordPress Custom Field Bulk Editor plugin <= 1.9.1 - Cross Site Scripting vulnerability CVE-2021-21259 Stored XSS in slide mode CVE-2025-22600 WeGIA has a Cross-Site Scripting (XSS) Reflected endpoint `configuracao_doacao.php` parameter `avulso`