cbcvebase.
CVE-2021-21809
published 2021-06-23

CVE-2021-21809: A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to…

PriorityP267critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
24.17%
97.6th percentile
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

Affected

2 ranges
VendorProductVersion rangeFixed in
moodlemoodle
moodlemoodle

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/moodle_spelling_path_rce.rb
  • Monitor HTTP requests to Moodle's spellchecker configuration endpoint for unusual or shell-metacharacter-containing values in the aspell path field, which may indicate command injection attempts.
  • Alert on a series of authenticated HTTP requests targeting Moodle's legacy spellchecker plugin settings, particularly POST requests modifying spellcheck/aspell path configuration.
  • This vulnerability is functionally identical to CVE-2013-3630 but uses a different variable; detections or rules written for CVE-2013-3630 Moodle spellchecker RCE should be reviewed and adapted for this vector.
  • ·Exploitation requires valid administrator credentials; this is not an unauthenticated vulnerability. Detections should correlate admin-level session activity with spellchecker configuration changes.
  • ·The vulnerability resides specifically in the default legacy spellchecker plugin; instances that have disabled or removed this plugin are not affected.
  • ·The Metasploit module confirms exploitation against Moodle versions 3.11.2, 3.10.0, and 3.8.0; scope detection rules accordingly to these versions.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.