vulnerability

Moodle: Improper Control of Generation of Code ('Code Injection') (CVE-2019-14827)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	May 17, 2021	Jun 3, 2021	Apr 7, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

May 17, 2021

Added

Jun 3, 2021

Modified

Apr 7, 2026

Description

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.

Solution

moodle-upgrade-latest

References

CVE-2019-14827
https://attackerkb.com/topics/CVE-2019-14827
CWE-94
EUVD-EUVD-2019-5954
https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-5954
https://git.moodle.org/gw?p=moodle.git&amp;a=search&amp;h=HEAD&amp;st=commit&amp;s=MDL-62284
https://moodle.org/mod/forum/discuss.php?d=391030

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report