Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-32478

EPSS 3.40% · P87
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-32478

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Moodle 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Moodle是一套免费、开源的电子学习软件平台,也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle 存在输入验证错误漏洞,该漏洞源于在LTI授权端点中对用户提供的数据的无害化处理不足。远程攻击者可利用该漏洞可以欺骗受害者,使其遵循一个专门制作的链接,并在脆弱网站的上下文中在用户的浏览器中执行任意HTML和脚本代码。以下产品及版本受到影响:Moodle: 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.9.0, 3.
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 -

II. Public POCs for CVE-2021-32478

#POC DescriptionSource LinkShenlong Link
1Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, and earlier unsupported versions contain a cross-site scripting vulnerability via the redirect_uri parameter.https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/moodle/moodle-xss.yamlPOC Details
2Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with malicious redirect URI. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-32478.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-32478

登录查看更多情报信息。

Same Patch Batch · n/a · 2022-03-11 · 41 CVEs total

CVE-2022-244338.1 HIGHCommand Injection
CVE-2022-258394.3 MEDIUMImproper Input Validation
CVE-2021-44618Nystudio107 Seomatic 代码注入漏洞
CVE-2022-23927HP PC 安全漏洞
CVE-2022-23934HP PC 安全漏洞
CVE-2022-23931HP PC 安全漏洞
CVE-2022-23930HP PC 安全漏洞
CVE-2022-23924HP PC 安全漏洞
CVE-2022-23925HP PC 安全漏洞
CVE-2022-23731Lg Electronics Lg WebOs 安全漏洞
CVE-2022-23730public API安全漏洞
CVE-2021-44620TotoLink A3100R 命令注入漏洞
CVE-2022-23926HP PC 安全漏洞
CVE-2021-46708swagger-ui-dist 安全漏洞
CVE-2018-25031Swagger UI 输入验证错误漏洞
CVE-2022-26878Linux kernel安全漏洞
CVE-2022-26874Horde Groupware Webmail 跨站脚本漏洞
CVE-2020-36518FasterXML jackson-databind 缓冲区错误漏洞
CVE-2021-32472Moodle 信息泄露漏洞
CVE-2021-32476Moodle 资源管理错误漏洞

Showing top 20 of 41 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: moodle
Same vendor: n/a
Same weakness: CWE-79

V. Comments for CVE-2021-32478

No comments yet

Leave a comment