CVE-2019-14827

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-14827
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14827.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-14827
Downstream
Published
2021-05-17T16:15:07.510Z
Modified
2026-04-10T04:15:43.991214Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type
GIT
Repo
https://github.com/moodle/moodle
Events
Introduced
46574904afd39578fa4146bf1fc5c401ac680aa6
Last affected
5725188035223fe8d8cf1c4a7c1af361a43ca6b6
Introduced
cb628a9a08933c2a9f1eae2f3be70ea5d343b419
Last affected
c88d732e399b816b69010c2c6ee7deb2da268681
Introduced
89457b26d192c06325bb6782b85d1025dafbefe9
Last affected
b198428e41b0f2fafe4bb0e6db6e53f5b9eda212
Database specific 
{
    "versions": [
        {
            "introduced": "3.5.0"
        },
        {
            "last_affected": "3.5.7"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "last_affected": "3.6.5"
        },
        {
            "introduced": "3.7.0"
        },
        {
            "last_affected": "3.7.1"
        }
    ]
}

Affected versions

v3.*
v3.5.0
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.7.0
v3.7.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14827.json"