CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
38.0%
In certain Moodle products after creating a course, it is possible to add in a arbitrary “Topic” a resource, in this case a “Database” with the type “Text” where its values “Field name” and “Field description” are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11.x prior to 3.11.10, Moodle 3.10.4, and Moodle 3.9.7.
blog.hackingforce.com.br/en/cve-2021-36568/
bugzilla.redhat.com/show_bug.cgi?id=2126857
github.com/advisories/GHSA-fm6m-fg23-67jq
lists.fedoraproject.org/archives/list/[email protected]/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/
lists.fedoraproject.org/archives/list/[email protected]/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/
nvd.nist.gov/vuln/detail/CVE-2021-36568