CVE-2021-20280: Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77654%
CWE
Published
3/29/2021
Updated
9/13/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.10, < 3.10.2 | 3.10.2 |
moodle/moodle | composer | >= 3.9, < 3.9.5 | 3.9.5 |
moodle/moodle | composer | >= 3.8, < 3.8.8 | 3.8.8 |
moodle/moodle | composer | >= 3.5, < 3.5.17 | 3.5.17 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper sanitization of user-controlled input in feedback module components. The commit shows replacement of htmlspecialchars_decode/html_entity_decode with Moodle's s() sanitization function. These decoding functions were being used in contexts where user-controlled data (feedback answers) was being output without proper context-aware escaping:
- In complete_form.php, htmlspecialchars_decode was removing existing escaping before setting form field defaults
- In responses_table.php, html_entity_decode was undoing escaping in exported data Both created XSS vectors by reintroducing raw HTML characters. The SSRF risk likely relates to potential URL injection through unsanitized text fields that could trigger server-side requests.