CVE-2021-36568
Description
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | <= 3.9.7 | — |
moodle/moodlePackagist | >= 3.10.0, <= 3.10.4 | — |
moodle/moodlePackagist | >= 3.11.0, < 3.11.10 | 3.11.10 |
Affected products
3- osv-coords2 versions
>= 3.9.7, < 3.9.8+ 1 more
- (no CPE)range: >= 3.9.7, < 3.9.8
- (no CPE)range: <= 3.9.7
Patches
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the "Field name" and "Field description" text fields of the Database resource type allows stored cross-site scripting."
Attack vector
An attacker who can create or edit a course adds a "Database" resource, then creates a "Text" field type within it. The attacker injects malicious JavaScript into the "Field name" or "Field description" input fields [ref_id=1]. When a victim accesses the course, clicks "Search" (the search interface for the database activity), the stored payload executes in the victim's browser [ref_id=1]. The vulnerability is classified as stored XSS [CWE-79] because the malicious script is persisted in the database and served to other users.
Affected code
The advisory does not identify specific files or functions. The vulnerability resides in the Database activity module's handling of "Text" field types, specifically the "Field name" and "Field description" input fields [ref_id=1]. These fields are rendered without proper sanitization when a user accesses the search interface.
What the fix does
No patch is included in the bundle. The advisory does not specify whether Moodle released a fix for this issue. Based on the reference write-up [ref_id=1], the remediation would require proper output encoding or sanitization of the "Field name" and "Field description" values before they are rendered in the search page, preventing injected scripts from executing.
Preconditions
- authAttacker must have access to create or edit a course in Moodle
- inputAttacker must be able to add a Database resource and create a Text field within it
- inputVictim must access the course and click the 'Search' option in the database activity
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-fm6m-fg23-67jqghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-36568ghsaADVISORY
- blog.hackingforce.com.br/en/cve-2021-36568ghsaWEB
- blog.hackingforce.com.br/en/cve-2021-36568/mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgighsaWEB
- drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1smitrex_refsource_MISC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGCghsaWEB
News mentions
0No linked articles in our index yet.