CVE-2022-47131 - Vulnerability Details - OpenCVE

A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Creativeitem	Academy Lms

Configuration 1 [-]

cpe:2.3:a:creativeitem:academy_lms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.hackingforce.com.br/en/xss
https://github.com/OpenXP-Research/CVE-2022-47131
https://portswigger.net/web-security/csrf
https://portswigger.net/web-security/csrf/xss-vs-csrf
https://www.linkedin.com/in/xvinicius/
https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss

History

Wed, 26 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/OpenXP-Research/CVE-2022-47131
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-02-03T00:00:00.000Z

Updated: 2025-03-26T15:38:43.991Z

Reserved: 2022-12-12T00:00:00.000Z

Link: CVE-2022-47131

Vulnrichment

Updated: 2024-08-03T14:47:28.653Z

NVD

Status : Modified

Published: 2023-02-03T01:15:12.833

Modified: 2025-03-26T16:15:16.770

Link: CVE-2022-47131

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-47131", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-26T15:38:43.991Z", "dateReserved": "2022-12-12T00:00:00.000Z", "datePublished": "2023-02-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://portswigger.net/web-security/csrf"}, {"url": "https://www.linkedin.com/in/xvinicius/"}, {"url": "https://portswigger.net/web-security/csrf/xss-vs-csrf"}, {"url": "https://blog.hackingforce.com.br/en/xss"}, {"url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:47:28.653Z"}, "title": "CVE Program Container", "references": [{"url": "https://portswigger.net/web-security/csrf", "tags": ["x_transferred"]}, {"url": "https://www.linkedin.com/in/xvinicius/", "tags": ["x_transferred"]}, {"url": "https://portswigger.net/web-security/csrf/xss-vs-csrf", "tags": ["x_transferred"]}, {"url": "https://blog.hackingforce.com.br/en/xss", "tags": ["x_transferred"]}, {"url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "references": [{"url": "https://github.com/OpenXP-Research/CVE-2022-47131", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-26T15:37:26.503415Z", "id": "CVE-2022-47131", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T15:38:43.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://portswigger.net/web-security/csrf", "tags": ["x_transferred"]}, {"url": "https://www.linkedin.com/in/xvinicius/", "tags": ["x_transferred"]}, {"url": "https://portswigger.net/web-security/csrf/xss-vs-csrf", "tags": ["x_transferred"]}, {"url": "https://blog.hackingforce.com.br/en/xss", "tags": ["x_transferred"]}, {"url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:47:28.653Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-47131", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-26T15:37:26.503415Z"}}}], "references": [{"url": "https://github.com/OpenXP-Research/CVE-2022-47131", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-26T15:37:15.687Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://portswigger.net/web-security/csrf"}, {"url": "https://www.linkedin.com/in/xvinicius/"}, {"url": "https://portswigger.net/web-security/csrf/xss-vs-csrf"}, {"url": "https://blog.hackingforce.com.br/en/xss"}, {"url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss"}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-03T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-47131", "state": "PUBLISHED", "dateUpdated": "2025-03-26T15:38:43.991Z", "dateReserved": "2022-12-12T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-02-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:creativeitem:academy_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "F21E0789-3CEB-42BE-A61A-594410D15132", "versionEndExcluding": "5.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Academy LMS anterior a v5.10 permite a un atacante crear una p\u00e1gina arbitrariamente."}], "id": "CVE-2022-47131", "lastModified": "2025-03-26T16:15:16.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-02-03T01:15:12.833", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://blog.hackingforce.com.br/en/xss"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://portswigger.net/web-security/csrf"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://portswigger.net/web-security/csrf/xss-vs-csrf"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.linkedin.com/in/xvinicius/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://blog.hackingforce.com.br/en/xss"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://portswigger.net/web-security/csrf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://portswigger.net/web-security/csrf/xss-vs-csrf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.linkedin.com/in/xvinicius/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://xpsec.co/blog/academy-lms-5-10-add-page-csrf-xss"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/OpenXP-Research/CVE-2022-47131"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}