Description

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

Remediation

References

CVE-2021-27131

Related Vulnerabilities

WordPress Plugin Gallery-Flagallery Photo Portfolio Cross-Site Request Forgery (3.01)

PHP Other Vulnerability (CVE-2010-0397)

Rukovoditel Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-11817)

WordPress Plugin DFD Reddcoin Tips Cross-Site Scripting (1.1.1)

WordPress 4.1.x Same Origin Method Execution (SOME) Vulnerability (4.1 - 4.1.10)

Severity

Medium

Classification

CVE-2021-27131 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities