Miggo Logo

CVE-2021-20280: Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.77654%
Published
3/29/2021
Updated
9/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.10, < 3.10.23.10.2
moodle/moodlecomposer>= 3.9, < 3.9.53.9.5
moodle/moodlecomposer>= 3.8, < 3.8.83.8.8
moodle/moodlecomposer>= 3.5, < 3.5.173.5.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of user-controlled input in feedback module components. The commit shows replacement of htmlspecialchars_decode/html_entity_decode with Moodle's s() sanitization function. These decoding functions were being used in contexts where user-controlled data (feedback answers) was being output without proper context-aware escaping:

  1. In complete_form.php, htmlspecialchars_decode was removing existing escaping before setting form field defaults
  2. In responses_table.php, html_entity_decode was undoing escaping in exported data Both created XSS vectors by reintroducing raw HTML characters. The SSRF risk likely relates to potential URL injection through unsanitized text fields that could trigger server-side requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*xt-**s** *******k *nsw*rs r*quir** ***ition*l s*nitizin* to pr*v*nt stor** XSS *n* *lin* SSR* risks in moo*l* ***or* *.**.*, *.*.*, *.*.*, *.*.**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* us*r-*ontroll** input in *******k mo*ul* *ompon*nts. T** *ommit s*ows r*pl***m*nt o* *tmlsp**i*l***rs_***o**/*tml_*ntity_***o** wit* Moo*l*'s s() s*nitiz*tion *un*tion. T**s* ***o*in* *un*tions w*