CVE-2024-28593 identifies a vulnerability in the Chat activity module of Moodle version 4.3.3, where the system allows students to insert HTML elements such as <a> (anchor) and <img> (image) tags or other HTML content. This capability is documented in Moodle's Using_Chat page, which permits HTML usage to enhance chat messages with images, sounds, and styled text. However, this flexibility introduces a security risk because malicious or malformed HTML can be injected, potentially leading to performance degradation or other unintended effects. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code), indicating that user-supplied input is not properly sanitized or controlled before being processed or rendered. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network without privileges but requires user interaction. The impact on confidentiality and integrity is low, with no availability impact. No known exploits have been reported, and no official patches have been linked at the time of publication. The Chat feature is slated for removal in future Moodle releases, but until then, this vulnerability poses a risk to installations that have it enabled.

The vulnerability could allow malicious users (students) to inject HTML content that may degrade the performance of the Moodle Chat activity, potentially disrupting the user experience. While the impact on confidentiality and integrity is limited, the ability to insert arbitrary HTML could be leveraged for phishing or social engineering attacks within the chat environment. Performance degradation could affect the availability of the chat feature for legitimate users, impacting collaboration and communication in educational settings. Since the vulnerability requires user interaction and does not require authentication, it could be exploited by any participant in the chat. Organizations relying on Moodle for online education may face reduced service quality and potential reputational damage if exploited. However, the scope is limited to the Chat activity, which is planned for removal, reducing long-term risk.

Administrators should consider disabling the Chat activity in Moodle 4.3.3 if it is not essential, especially since it is planned for removal in future versions. If disabling is not feasible, restrict chat usage to trusted users and monitor chat content for suspicious HTML injections. Implement content filtering or sanitization mechanisms to strip or neutralize potentially harmful HTML tags and attributes before rendering chat messages. Regularly update Moodle to newer versions where the Chat feature is removed or patched. Educate users about the risks of interacting with untrusted links or images in chat messages. Additionally, consider deploying web application firewalls (WAFs) that can detect and block malicious HTML payloads in user inputs. Monitor Moodle security advisories for any forthcoming patches addressing this vulnerability.