First published: Tue Sep 13 2022(Updated: )
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Moodle Moodle | =3.9.7 | |
Moodle Moodle | =3.10.4 | |
Moodle Moodle | =3.11.0 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-36568 is a vulnerability in certain Moodle products that allows for Cross Site Scripting (XSS) attacks.
Moodle versions 3.9.7, 3.10.4, and 3.11.0 are affected by CVE-2021-36568.
CVE-2021-36568 has a severity rating of medium with a score of 5.4.
As a user with access to create a course in Moodle, you can add a resource in an arbitrary topic, specifically a database with the type 'Text', to exploit the Cross Site Scripting (XSS) vulnerability.
To mitigate CVE-2021-36568, update your Moodle installation to a version that is not affected by the vulnerability.