CVE-2021-36568

Name of the Vulnerable Software and Affected Versions Moodle versions 3.9.7 through 3.11.10 Moodle versions 3.10.4

Description The issue is related to the lack of protection for the web page structure in Moodle, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. Specifically, in certain Moodle products, after creating a course, it is possible to add a resource to an arbitrary "Topic", in this case, a "Database" with the type "Text", where the Field name and Field description values are vulnerable to stored XSS.

Recommendations For Moodle versions 3.9.7, update to a version later than 3.9.7. For Moodle versions 3.10.4, update to a version later than 3.10.4. For Moodle versions 3.11.x prior to 3.11.10, update to version 3.11.10 or later. As a temporary workaround, consider restricting access to the "Database" resource with the type "Text" in arbitrary "Topics" until a patch is available. Avoid using the Field name and Field description values in the affected "Database" resource until the issue is resolved.