UBUNTU-CVE-2021-27131

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-27131

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-27131.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-27131

Withdrawn

2025-06-23T15:53:59Z

Published

2023-05-16T20:15:00Z

Modified

2023-05-16T20:15:00Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

** DISPUTED ** Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

References

Affected packages

Ubuntu:Pro:16.04:LTS / moodle

Package

Name: moodle
Purl: pkg:deb/ubuntu/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.9+dfsg-1

2.7.10+dfsg-1

2.7.11+dfsg-1

2.7.11+dfsg-2

2.7.12+dfsg-1

3.*

3.0.3+dfsg-0ubuntu1

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-27131.json"

Ubuntu:Pro:18.04:LTS / moodle