CVE-2021-20187

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-20187

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20187.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-20187

Aliases

Downstream

UBUNTU-CVE-2021-20187

Published

2021-01-28T19:15:13.377Z

Modified

2026-04-10T04:29:15.469790Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

References

https://moodle.org/mod/forum/discuss.php?d=417171

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type

GIT

Repo

https://github.com/moodle/moodle

Events

Introduced

Fixed

bbf242efb086307a0af9367d6caea08649b261d1

Introduced

f968cd44e8ee5d54b1bc56823040ff770dbf18af

Fixed

323c12674aa74d327ded9f5e44458cd5d1aea174

Introduced

500c131eb49771e36f68d151dfa37fef5a9bc2df

Fixed

de301d4237c42ddd0d4ae7395e663b8457943727

Introduced

Last affected

ec58cefefb2722f61f77c9a2b6a12d40a8c078a0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.16"
        },
        {
            "introduced": "3.8.0"
        },
        {
            "fixed": "3.8.7"
        },
        {
            "introduced": "3.9.0"
        },
        {
            "fixed": "3.9.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.10.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.1

v2.1.0

v2.2.0

v2.2.0-beta

v2.2.0-rc1

v2.3.0

v2.3.0-beta

v2.3.0-rc1

v2.4.0

v2.4.0-beta

v2.4.0-rc1

v2.5.0

v2.5.0-beta

v2.5.0-rc1

v2.6.0

v2.6.0-beta

v2.6.0-rc1

v2.7.0

v2.7.0-beta

v2.7.0-rc1

v2.7.0-rc2

v2.8.0

v2.8.0-beta

v2.8.0-rc1

v2.8.0-rc2

v2.9.0

v2.9.0-beta

v2.9.0-rc1

v2.9.0-rc2

v3.*

v3.0.0

v3.0.0-beta

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.1.0

v3.1.0-beta

v3.1.0-rc1

v3.1.0-rc2

v3.10.0

v3.10.0-beta

v3.10.0-rc1

v3.10.0-rc2

v3.2.0

v3.2.0-beta

v3.2.0-rc1

v3.2.0-rc2

v3.2.0-rc3

v3.2.0-rc4

v3.2.0-rc5

v3.3.0

v3.3.0-beta

v3.3.0-rc1

v3.3.0-rc2

v3.3.0-rc3

v3.4.0

v3.4.0-beta

v3.4.0-rc1

v3.4.0-rc2

v3.4.0-rc3

v3.5.0

v3.5.0-beta

v3.5.0-rc1

v3.5.1

v3.5.10

v3.5.11

v3.5.12

v3.5.13

v3.5.14

v3.5.15

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.7

v3.5.8

v3.5.9

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.8.4

v3.8.5

v3.8.6

v3.9.0

v3.9.1

v3.9.2

v3.9.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20187.json"