CVE-2021-47857
Unknown Unknown - Not Provided
Persistent XSS in Moodle 3.10.3 Calendar Event Subtitle

Publication date: 2026-01-21

Last updated on: 2026-03-05

Assigner: VulnCheck

Description
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47857
EUVD
EUVD-2026-3616
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
moodle moodle 3.10.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability in Moodle version 3.10.3. It occurs in the calendar event subtitle field, specifically in the 'label' attribute of subtitle tracks. Attackers can inject malicious JavaScript code into this field when creating a calendar event. When other users view the event, the malicious script executes in their browsers, allowing arbitrary code execution. [2, 3]

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of users viewing the affected calendar events. Potential impacts include session hijacking, defacement, or other malicious actions within the Moodle application. Because the malicious code executes in users' browsers, it can compromise user data or the integrity of the Moodle environment. [2, 3]

Detection Guidance

This vulnerability can be detected by checking for calendar events in Moodle 3.10.3 that contain suspicious or malicious JavaScript code in the subtitle track 'label' field. One approach is to inspect the calendar event data, especially the subtitle track labels, for embedded scripts such as <img src="1" onerror="alert(1)" /> or base64-encoded scripts in <embed> tags. Detection can involve querying the Moodle database for calendar events with subtitle labels containing script tags or suspicious payloads. Additionally, monitoring POST requests to endpoints like /lib/ajax/service.php with JSON data containing subtitle track labels can help identify exploit attempts. Specific commands depend on your environment, but for example, you could use SQL queries to search the Moodle database for suspicious subtitle labels or use network monitoring tools to capture and analyze POST requests to the service.php endpoint. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Moodle to a version where this vulnerability is fixed, as the issue resides in Moodle 3.10.3. If an upgrade is not immediately possible, restrict user privileges to prevent unauthorized users from creating or editing calendar events with subtitle tracks. Additionally, implement input validation and sanitization on the subtitle track 'label' field to prevent script injection. Monitoring and blocking suspicious POST requests to /lib/ajax/service.php related to calendar event creation can also help mitigate exploitation. Finally, inform users to be cautious when viewing calendar events and consider applying web application firewall (WAF) rules to detect and block malicious payloads targeting this vulnerability. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart