Description

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

Remediation

References

CVE-2021-27131

Related Vulnerabilities

WordPress Plugin WP Statistics Cross-Site Scripting (12.0.9)

WordPress Plugin Contact Form Email Cross-Site Scripting (1.1.87)

Internet Information Services Other Vulnerability (CVE-2000-0408)

WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.8)

WordPress Plugin WP-SpamFree Anti-Spam 'id' Parameter SQL Injection (3.2.1)

Severity

Medium

Classification

CVE-2021-27131 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities