The version of Moodle installed on the remote host is 3.9.x prior to 3.9.8, 3.10.x prior to 3.10.5 or 3.11.x prior to 3.11.1. It is, therefore, affected by multiple vulnerabilities:
An SQL injection in the library fetching a user’s enrolled courses. (CVE-2021-36392)
An SQL injection in the library fetching a user’s recent courses. (CVE-2021-36393)
A Remote Code Execution (RCE) in the Shibboleth authentication plugin, when enabled. (CVE-2021-36394)
A recursion Denial of Service (DoS) in the file repository’s URL parsing function. (CVE-2021-36395)
A blind Server-Side Request Forgery (SSRF) due to an insufficient redirect handling, leading to the bypass of cURL blocked hosts and allowed ports restrictions. (CVE-2021-36396)
An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to delete other user messages. (CVE-2021-36397)
A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the web service token list. (CVE-2021-36398)
A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the quiz override screens. (CVE-2021-36399)
An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to remove other users calendar URL subscriptions. (CVE-2021-36400)
A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers exported in HTML data formats being read locally. (CVE-2021-36401)
An improper input validation in user names of account confirmation emails leading leading to phishing risks. (CVE-2021-36402)
An improper input validation when processing email notifications containing HTML, leading to phishing risks. (CVE-2021-36403)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36392
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36393
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36395
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36396
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36397
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36398
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36400
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36401
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36403
moodle.org/mod/forum/discuss.php?d=424797#p1710816
moodle.org/mod/forum/discuss.php?d=424798#p1710817
moodle.org/mod/forum/discuss.php?d=424799#p1710818
moodle.org/mod/forum/discuss.php?d=424801#p1710820
moodle.org/mod/forum/discuss.php?d=424802#p1710821
moodle.org/mod/forum/discuss.php?d=424803#p1710822
moodle.org/mod/forum/discuss.php?d=424804#p1710823
moodle.org/mod/forum/discuss.php?d=424805#p1710824
moodle.org/mod/forum/discuss.php?d=424806#p1710825
moodle.org/mod/forum/discuss.php?d=424807#p1710826
moodle.org/mod/forum/discuss.php?d=424808#p1710827
moodle.org/mod/forum/discuss.php?d=424809#p1710828