Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-27131)

Description

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

Remediation

References

Related Vulnerabilities

WordPress Plugin Twenty20 Image Before-After Cross-Site Scripting (1.5.9)

Oracle Database Server CVE-2014-0377 Vulnerability (CVE-2014-0377)

WordPress Plugin Appointments Scheduler Cross-Site Scripting (1.5)

WordPress Plugin Invite Anyone PHP Object Injection (1.3.18)

WordPress Plugin WP Easy Gallery 'add-gallery.php' Arbitrary File Upload (1.8)

Severity

Medium

Classification

CVE-2021-27131 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities