CVE-2021-21809
published 2021-06-23CVE-2021-21809: A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to…
PriorityP267critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
24.17%
97.6th percentile
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | — | — |
| moodle | moodle | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/moodle_spelling_path_rce.rb↗
- →Monitor HTTP requests to Moodle's spellchecker configuration endpoint for unusual or shell-metacharacter-containing values in the aspell path field, which may indicate command injection attempts. ↗
- →Alert on a series of authenticated HTTP requests targeting Moodle's legacy spellchecker plugin settings, particularly POST requests modifying spellcheck/aspell path configuration. ↗
- →This vulnerability is functionally identical to CVE-2013-3630 but uses a different variable; detections or rules written for CVE-2013-3630 Moodle spellchecker RCE should be reviewed and adapted for this vector. ↗
- ·Exploitation requires valid administrator credentials; this is not an unauthenticated vulnerability. Detections should correlate admin-level session activity with spellchecker configuration changes. ↗
- ·The vulnerability resides specifically in the default legacy spellchecker plugin; instances that have disabled or removed this plugin are not affected. ↗
- ·The Metasploit module confirms exploitation against Moodle versions 3.11.2, 3.10.0, and 3.8.0; scope detection rules accordingly to these versions. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Moodle command execution vulnerability exists in the default legacy spellchecker plugin
osv·2022-05-24
CVE-2021-21809 [CRITICAL] Moodle command execution vulnerability exists in the default legacy spellchecker plugin
Moodle command execution vulnerability exists in the default legacy spellchecker plugin
A command execution vulnerability exists in the default legacy spellchecker plugin in a few Moodle multiple specific versions. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
GHSA
Moodle command execution vulnerability exists in the default legacy spellchecker plugin
ghsa·2022-05-24
CVE-2021-21809 [CRITICAL] CWE-732 Moodle command execution vulnerability exists in the default legacy spellchecker plugin
Moodle command execution vulnerability exists in the default legacy spellchecker plugin
A command execution vulnerability exists in the default legacy spellchecker plugin in a few Moodle multiple specific versions. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
OSV
CVE-2021-21809: A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3
osv·2021-06-23·CVSS 9.1
CVE-2021-21809 [CRITICAL] CVE-2021-21809: A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164481/Moodle-SpellChecker-Path-Authenticated-Remote-Command-Execution.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2021-1277http://packetstormsecurity.com/files/164481/Moodle-SpellChecker-Path-Authenticated-Remote-Command-Execution.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2021-1277
2021-06-23
Published