CVE-2021-36568: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

September 13, 2022 (updated November 7, 2023)

In certain Moodle products after creating a course, it is possible to add in a arbitrary “Topic” a resource, in this case a “Database” with the type “Text” where its values “Field name” and “Field description” is vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

References

blog.hackingforce.com.br/en/cve-2021-36568/
drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1s?usp=sharing
nvd.nist.gov/vuln/detail/CVE-2021-36568

Code Behaviors & Features

Detect and mitigate CVE-2021-36568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →