Moodle 3.8.x < 3.8.7 Multiple Vulnerabilities

The version of Moodle installed on the remote host is 3.5.x prior to 3.5.16, 3.8.x prior to 3.8.7, 3.9.x prior to 3.9.4 or 3.10.x prior to 3.10.1. It is, therefore, affected by multiple vulnerabilities:

• A client-side Denial of Service (DoS) attack due to the lack of character limit when sending messages. (CVE-2021-20185)

• A stored Cross-Site Scripting vulnerability due to the lack of sanitization of TeX content when the TeX notation filter is enabled. (CVE-2021-20186)

• An arbitrary PHP code execution by site administrators via a PHP include used during Shibboleth authentication. (CVE-2021-20187)

• An information disclosure in grade related web services, allowing students to view other students grades. (CVE-2021-20184)

• A Cross-Site Scripting (XSS) vulnerability due to the lack of input sanitization on the search template inputs. (CVE-2021-20183)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.