CVE-2021-20280

MEDIUM

Moodle 3.5.0-3.5.16, 3.8.0-3.8.7, 3.9.0-3.9.4, 3.10.0-3.10.1 - Stored XSS and SSRF in Text-Based Feedback

Title source: llm
STIX 2.1

Description

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

References (6)

Core 6
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1939037
Patch, Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=419651

Scores

CVSS v3 5.4
EPSS 0.0072
EPSS Percentile 72.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (5)
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
moodle/moodle 3.10 - 3.10.2Packagist
moodle/moodle 3.5.0 - 3.5.17
Published Mar 15, 2021
Tracked Since Feb 18, 2026