CVE-2024-37674

Name of the Vulnerable Software and Affected Versions Moodle CMS version 3.10

Description The issue is related to a Cross Site Scripting vulnerability in the New Activity Handler component of the Moodle virtual learning environment. This vulnerability is due to the lack of protection of the web page structure. Exploitation of this issue may allow a remote attacker to execute arbitrary code via the Field Name parameter of a new activity.

Recommendations For Moodle CMS version 3.10, consider disabling the New Activity Handler component or restricting access to the Field Name parameter until a patch is available. Avoid using the name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.