CVE-2019-14827

Name of the Vulnerable Software and Affected Versions Moodle versions 3.5 through 3.5.7 Moodle versions 3.6 through 3.6.5 Moodle versions 3.7 through 3.7.1

Description A vulnerability was found where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. This occurred because Mustache helper tags included in template contexts were not being escaped before the context was injected into another Mustache helper, which could result in script injection in some templates.

Recommendations For versions 3.5 through 3.5.7, update to a version later than 3.5.7 to resolve the issue. For versions 3.6 through 3.6.5, update to a version later than 3.6.5 to resolve the issue. For versions 3.7 through 3.7.1, update to a version later than 3.7.1 to resolve the issue. As a temporary workaround, consider restricting the use of recursive rendering in Mustache templates to minimize the risk of exploitation.