GoogleOSV:GHSA-FM6M-FG23-67JQMoodle Cross-site Scripting vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
38.0%
In certain Moodle products after creating a course, it is possible to add in a arbitrary “Topic” a resource, in this case a “Database” with the type “Text” where its values “Field name” and “Field description” are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11.x prior to 3.11.10, Moodle 3.10.4, and Moodle 3.9.7.
References
blog.hackingforce.com.br/en/cve-2021-36568
bugzilla.redhat.com/show_bug.cgi?id=2126857
github.com/moodle/moodle
lists.fedoraproject.org/archives/list/[email protected]/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW
lists.fedoraproject.org/archives/list/[email protected]/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC
nvd.nist.gov/vuln/detail/CVE-2021-36568
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
38.0%