Lucene search

[email protected]CVE-2021-27131

HistoryMay 16, 2023 - 8:15 p.m.

CVE-2021-27131

2023-05-1620:15:08

CWE-79

[email protected]

web.nvd.nist.gov

moodle

xss

cross-site scripting

input sanitization

vulnerability

security

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.2%

JSON

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the “Additional HTML Section” via “Header and Footer” parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the “Additional HTML Section” for “Header and Footer” can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

Affected configurations

NVD

Node

moodlemoodleMatch3.10.1

CPENameOperatorVersion
moodle:moodlemoodleeq3.10.1

CPE	Name	Operator	Version
moodle:moodle	moodle	eq	3.10.1

References

docs.moodle.org/402/en/Risks

github.com/moodle/moodle

github.com/p4nk4jv/CVEs-Assigned/blob/master/Moodle-3.10.1-CVE-2021-27131.md