CVE-2021-27131
MEDIUMMoodle 3.10.1 - Stored Cross-Site Scripting via Header and Footer Additional HTML Section
Title source: llmDescription
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).
References (3)
Core 3
Core References
Product
https://github.com/moodle/moodle
Various Sources
https://docs.moodle.org/402/en/Risks
Scores
CVSS v3
5.4
EPSS
0.0016
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
moodle/moodle
3.10.1
moodle/moodle
0Packagist
Published
May 16, 2023
Tracked Since
Feb 18, 2026