vulnerability
Moodle: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2021-36568)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:M/Au:S/C:P/I:P/A:N) | Sep 13, 2022 | Sep 19, 2022 | Feb 15, 2026 |
Severity
5
CVSS
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Published
Sep 13, 2022
Added
Sep 19, 2022
Modified
Feb 15, 2026
Description
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
Solution
moodle-upgrade-latest
References
- CVE-2021-36568
- https://attackerkb.com/topics/CVE-2021-36568
- CWE-79
- URL-https://blog.hackingforce.com.br/en/cve-2021-36568/
- URL-https://drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1s?usp=sharing
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.