Description

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

Remediation

References

CVE-2021-27131

Related Vulnerabilities

WordPress Plugin YARPP-Yet Another Related Posts PHP Object Injection (4.4)

Apache HTTP Server Improper Input Validation Vulnerability (CVE-2016-8612)

WordPress Plugin Import XML and RSS Feeds Remote Code Execution (2.1.4)

WordPress Plugin E-Search Multiple Cross-Site Scripting Vulnerabilities (1.0)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-9933)

Severity

Medium

Classification

CVE-2021-27131 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities