Description

In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

Related CPE's

a

moodle

moodle

3

o

fedoraproject

fedora

2

References

https://blog.hackingforce.com.br/en/cve-2021-36568/

ExploitThird Party Advisory

https://drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1s?usp=sharing

Broken LinkThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/

Weaknesses

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.4 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2022-09-13T22:15:08.793

2 years ago

Last modified

2023-11-07T03:36:46.330

1 year ago