CVE-2021-36568 — Cross-site Scripting in Moodle

CWE-79 — Cross-site Scripting4 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 37.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora

Timeline

PublishedSep 13

Latest updateSep 14

Description

In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶Packagistmoodle/moodle3.11.0 — 3.11.10+2

▶NVDmoodle/moodle3.10.4, 3.11.0, 3.9.7+2

Also affects: Fedora 35, 36

🔴Vulnerability Details

GHSA

Moodle Cross-site Scripting vulnerability↗2022-09-14

▶

OSV

Moodle Cross-site Scripting vulnerability↗2022-09-14

▶

OSV

CVE-2021-36568: In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "↗2022-09-13

▶