The version of Moodle installed on the remote host is 3.5.x prior to 3.5.16, 3.8.x prior to 3.8.7, 3.9.x prior to 3.9.4 or 3.10.x prior to 3.10.1. It is, therefore, affected by multiple vulnerabilities:
A client-side Denial of Service (DoS) attack due to the lack of character limit when sending messages. (CVE-2021-20185)
A stored Cross-Site Scripting vulnerability due to the lack of sanitization of TeX content when the TeX notation filter is enabled. (CVE-2021-20186)
An arbitrary PHP code execution by site administrators via a PHP include used during Shibboleth authentication. (CVE-2021-20187)
An information disclosure in grade related web services, allowing students to view other students grades. (CVE-2021-20184)
A Cross-Site Scripting (XSS) vulnerability due to the lack of input sanitization on the search template inputs. (CVE-2021-20183)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20183
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20184
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20185
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20186
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20187
moodle.org/mod/forum/discuss.php?d=417166#p1680837
moodle.org/mod/forum/discuss.php?d=417167#p1680839
moodle.org/mod/forum/discuss.php?d=417168#p1680841
moodle.org/mod/forum/discuss.php?d=417170#p1680845
moodle.org/mod/forum/discuss.php?d=417171#p1680847