CVE-2021-36568 — Moodle Cross-site Scripting vulnerability

Description

In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

How to fix CVE-2021-36568

To remediate CVE-2021-36568, upgrade the affected package to a fixed version below.

—upgrade to 3.9.8 or later
—no fix listed

Is CVE-2021-36568 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.9.7, < 3.9.8, >= 3.10.4, < 3.10.5, >= 3.11.0, < 3.11.1
from 0, <= 3.9.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-36568
PATCHgithub.com/moodle/moodle
WEBblog.hackingforce.com.br/en/cve-2021-36568
WEBblog.hackingforce.com.br/en/cve-2021-36568/
WEBbugzilla.redhat.com