Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle · CVE-2021-20280 · GitHub Advisory Database · GitHub

Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle

Moderate severity GitHub Reviewed Published Mar 29, 2021 to the GitHub Advisory Database • Updated Sep 13, 2023

Package

moodle/moodle (Composer)

Affected versions

>= 3.10, < 3.10.2

>= 3.9, < 3.9.5

>= 3.8, < 3.8.8

>= 3.5, < 3.5.17

Patched versions

3.10.2

3.9.5

3.8.8

3.5.17

Description

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

References

Published by the National Vulnerability Database

Mar 15, 2021

Reviewed Mar 24, 2021

Published to the GitHub Advisory Database Mar 29, 2021

Last updated Sep 13, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N