First published: Thu Jan 19 2023(Updated: )
MSA-23-0001: Reflected XSS risk in some returnurl parameters Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk. Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Credit: patrick@puiterwijk.org
Affected Software | Affected Version | How to fix |
---|---|---|
Moodle Moodle | >=3.9.0<3.9.19 | |
Moodle Moodle | >=3.11.0<3.11.12 | |
Moodle Moodle | >=4.0.0<4.0.6 | |
Moodle Moodle | =4.1.0 | |
redhat/moodle | <4.1.1 | 4.1.1 |
redhat/moodle | <4.0.6 | 4.0.6 |
redhat/moodle | <3.11.12 | 3.11.12 |
redhat/moodle | <3.9.19 | 3.9.19 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-23921.
The severity of CVE-2023-23921 is high.
CVE-2023-23921 affects Moodle versions 3.9.0 to 3.9.19, 3.11.0 to 3.11.12, 4.0.0 to 4.0.6, and 4.1.0.
A remote attacker can trick a victim to follow a specially crafted link, allowing them to execute arbitrary HTML and script code in the user's browser within the context of the vulnerable Moodle website.
To fix CVE-2023-23921, update your Moodle installation to version 4.1.1, 4.0.6, 3.11.12, or 3.9.19.