CVE-2021-32478
Moodle reflected XSS
6.1
MEDIUM
CVSS 3.1
EPSS 3.4%
Description
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
How to fix CVE-2021-32478
To remediate CVE-2021-32478, upgrade the affected package to a fixed version below.
- Bitnami/moodle—upgrade to 3.8.9 or later
- —upgrade to 3.10.4 or later
Is CVE-2021-32478 being exploited?
Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
- >= 3.10, < 3.10.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |