The version of Moodle installed on the remote host is 3.9.x prior to 3.9.10, 3.10.x prior to 3.10.7 or 3.11.x prior to 3.11.3. It is, therefore, affected by multiple vulnerabilities:
A session hijack vulnerability was identified in the Shibboleth authentication plugin, when enabled. (CVE-2021-40691)
An Insecure Direct Object Reference (IDOR) allowing teachers to download other courses users. (CVE-2021-40692)
An authentication bypass vulnerability was identified in the external database authentication functionality due to a type juggling vulnerability. (CVE-2021-40693)
An arbitrary file read due to an insufficient escaping of the LaTeX preamble allowing site administrators to read files available to the HTTP Server system account. (CVE-2021-40694)
An information disclosure allowing students to see their quiz grade through the quiz web service before its release. (CVE-2021-40695)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40691
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40692
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40693
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40694
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40695
moodle.org/mod/forum/discuss.php?d=427103#p1719325
moodle.org/mod/forum/discuss.php?d=427104#p1719326
moodle.org/mod/forum/discuss.php?d=427105#p1719327
moodle.org/mod/forum/discuss.php?d=427106#p1719328
moodle.org/mod/forum/discuss.php?d=427107#p1719329