CVE-2021-32478
published 2022-03-11CVE-2021-32478: The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.16%
63.1th percentile
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | < 3.8.9 | 3.8.9 |
| moodle | moodle | — | — |
| moodle | moodle | >= 3.10 < 3.10.4 | 3.10.4 |
| moodle | moodle | >= 3.10.0 < 3.10.4 | 3.10.4 |
| moodle | moodle | >= 3.8 < 3.8.9 | 3.8.9 |
| moodle | moodle | >= 3.9 < 3.9.7 | 3.9.7 |
| moodle | moodle | >= 3.9.0 < 3.9.7 | 3.9.7 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
strings: $a = '<form action="javascript:alert' condition: $a
- →Probe the LTI authorization endpoint at /mod/lti/auth.php with a javascript: scheme in the redirect_uri parameter; a vulnerable instance will reflect the payload inside a <form action=...> element in the response body. ↗
- →Match both the random string token AND the literal string '<form action="javascript:alert' in the HTTP 200 text/html response body to confirm exploitation. ↗
- →The vulnerability is in the redirect_uri parameter of the LTI authorization endpoint; monitor GET requests to /mod/lti/auth.php where redirect_uri contains javascript: or non-HTTP(S) URI schemes. ↗
- ·Exploit requires user interaction (UI:R) — the victim must follow a crafted URL containing the malicious redirect_uri value; no authentication is required from the attacker side. ↗
- ·The Nuclei template is tagged 'intrusive' meaning active probing will send a javascript: XSS payload to the target; use only in authorized testing contexts. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Moodle reflected XSS
ghsa·2022-03-12
CVE-2021-32478 [MEDIUM] CWE-79 Moodle reflected XSS
Moodle reflected XSS
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
OSV
Moodle reflected XSS
osv·2022-03-12
CVE-2021-32478 [MEDIUM] Moodle reflected XSS
Moodle reflected XSS
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
OSV
CVE-2021-32478: The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks
osv·2022-03-11·CVSS 6.1
CVE-2021-32478 [MEDIUM] CVE-2021-32478: The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
VulnCheck
Moodle moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-32478 [MEDIUM] Moodle moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Moodle moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
Affected: Moodle moodle
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2021-32478
No detection rules found.
Nuclei
Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
nuclei·CVSS 6.1
CVE-2021-32478 [MEDIUM] Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with malicious redirect URI.
Template:
id: CVE-2021-32478
info:
name: Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
author: hackergautam
severity: medium
description: |
Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL w
No writeups or analysis indexed.
2022-03-11
Published
Exploited in the wild