Lucene search

GitHub Advisory DatabaseGHSA-FM6M-FG23-67JQ

HistorySep 14, 2022 - 12:00 a.m.

Moodle Cross-site Scripting vulnerability

2022-09-1400:00:41

CWE-79

GitHub Advisory Database

github.com

moodle

cross-site scripting

vulnerability

database

text

stored xss

version 3.11.x

version 3.10.4

version 3.9.7

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.0%

JSON

In certain Moodle products after creating a course, it is possible to add in a arbitrary “Topic” a resource, in this case a “Database” with the type “Text” where its values “Field name” and “Field description” are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11.x prior to 3.11.10, Moodle 3.10.4, and Moodle 3.9.7.

Affected configurations

Vulners

Node

moodlemoodleRange3.11.0–3.11.10

moodlemoodleRange3.10.0–3.10.4

moodlemoodleRange≤3.9.7

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

blog.hackingforce.com.br/en/cve-2021-36568/

bugzilla.redhat.com/show_bug.cgi?id=2126857

github.com/advisories/GHSA-fm6m-fg23-67jq

lists.fedoraproject.org/archives/list/[email protected]/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/

lists.fedoraproject.org/archives/list/[email protected]/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/

nvd.nist.gov/vuln/detail/CVE-2021-36568