CVE-2021-27131

Source
https://cve.org/CVERecord?id=CVE-2021-27131
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27131.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-27131
Aliases
Published
2023-05-16T20:15:08.987Z
Modified
2026-07-08T21:26:20.892496Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type
GIT
Repo
https://github.com/moodle/moodle
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:moodle:moodle:3.10.1:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.10.1"
        },
        {
            "last_affected": "3.10.1"
        }
    ]
}

Affected versions

3.*
3.10.1
v3.*
v3.10.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27131.json"