CVE-2021-36396

HIGH

Moodle - Blind Server-Side Request Forgery via Redirect Handling Bypass

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-36396. PoCs published by T0X1Cx.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2021-36396, a time-based SQL injection vulnerability in Moodle's 'sort' parameter. The exploit uses a time-based blind SQLi technique to extract database names, usernames, and password hashes from the target system.

Description

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

Exploits (2)

nomisec WORKING POC 20 stars

by T0X1Cx · poc

https://github.com/T0X1Cx/CVE-2021-36396-Moodle-Time-Based-SQLi-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-36396, a time-based SQL injection vulnerability in Moodle's 'sort' parameter. The exploit uses a time-based blind SQLi technique to extract database names, usernames, and password hashes from the target system.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Moodle (versions 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions)

Auth required

Prerequisites: Valid Moodle session cookie · Student role or higher privileges · Network access to the target Moodle instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/t0x1cx/cve-2021-36396-exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-36396, a time-based SQL injection vulnerability in Moodle's 'sort' parameter. The exploit extracts database names, usernames, and password hashes by leveraging a time-based blind SQLi technique.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Moodle (3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier)

Auth required

Prerequisites: valid Moodle session cookie · student role or higher privileges

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=424802

Scores

CVSS v3 7.5

EPSS 0.0188

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

moodle/moodle < 3.9.8

moodle/moodle 3.11.0-beta - 3.11.1Packagist

Published Mar 06, 2023

Tracked Since Feb 18, 2026