The version of Moodle installed on the remote host is 3.9.x prior to 3.9.19, 3.11.x prior to 3.11.12, 4.0.x prior to 4.0.6 or 4.1.x prior to 4.1.1. It is, therefore, affected by multiple vulnerabilities:
A Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of some returnurl parameters. (CVE-2023-23921)
A Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization in the blog search functionnality. (CVE-2023-23922)
An Insecure Direct Object Reference (IDOR) vulnerability allowing users to set the preferred start page of any other user. (CVE-2023-23923)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23921
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23922
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23923
moodle.org/mod/forum/discuss.php?d=443272#p1782021
moodle.org/mod/forum/discuss.php?d=443273#p1782022
moodle.org/mod/forum/discuss.php?d=443274#p1782023