CVE-2021-36568
MEDIUMMoodle 3.9.7, 3.10.4, 3.11 - Stored Cross-Site Scripting in Database Activity Field Name and Description
Title source: llmDescription
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
References (4)
Core 4
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1s?usp=sharing
Exploit, Third Party Advisory x_refsource_misc
https://blog.hackingforce.com.br/en/cve-2021-36568/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/
Scores
CVSS v3
5.4
EPSS
0.0043
EPSS Percentile
62.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (6)
fedoraproject/fedora
35
fedoraproject/fedora
36
moodle/moodle
3.9.7
moodle/moodle
3.10.4
moodle/moodle
3.11.0
moodle/moodle
0Packagist
Published
Sep 13, 2022
Tracked Since
Feb 18, 2026