CVE-2021-20187

HIGH

Moodle < 3.5.16 - Code Injection

Title source: rule

Description

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

References (1)

[Patch, Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=417171

Scores

CVSS v3 7.2

EPSS 0.0068

EPSS Percentile 71.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-829 CWE-94

Status published

Products (3)

moodle/moodle 3.10.0

moodle/moodle < 3.5.16

moodle/moodle 3.5 - 3.5.16Packagist

Published Jan 28, 2021

Tracked Since Feb 18, 2026