CVE-2021-47857
Persistent XSS in Moodle 3.10.3 Calendar Event Subtitle
Publication date: 2026-01-21
Last updated on: 2026-03-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moodle | moodle | 3.10.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability in Moodle version 3.10.3. It occurs in the calendar event subtitle field, specifically in the 'label' attribute of subtitle tracks. Attackers can inject malicious JavaScript code into this field when creating a calendar event. When other users view the event, the malicious script executes in their browsers, allowing arbitrary code execution. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of users viewing the affected calendar events. Potential impacts include session hijacking, defacement, or other malicious actions within the Moodle application. Because the malicious code executes in users' browsers, it can compromise user data or the integrity of the Moodle environment. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for calendar events in Moodle 3.10.3 that contain suspicious or malicious JavaScript code in the subtitle track 'label' field. One approach is to inspect the calendar event data, especially the subtitle track labels, for embedded scripts such as <img src="1" onerror="alert(1)" /> or base64-encoded scripts in <embed> tags. Detection can involve querying the Moodle database for calendar events with subtitle labels containing script tags or suspicious payloads. Additionally, monitoring POST requests to endpoints like /lib/ajax/service.php with JSON data containing subtitle track labels can help identify exploit attempts. Specific commands depend on your environment, but for example, you could use SQL queries to search the Moodle database for suspicious subtitle labels or use network monitoring tools to capture and analyze POST requests to the service.php endpoint. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Moodle to a version where this vulnerability is fixed, as the issue resides in Moodle 3.10.3. If an upgrade is not immediately possible, restrict user privileges to prevent unauthorized users from creating or editing calendar events with subtitle tracks. Additionally, implement input validation and sanitization on the subtitle track 'label' field to prevent script injection. Monitoring and blocking suspicious POST requests to /lib/ajax/service.php related to calendar event creation can also help mitigate exploitation. Finally, inform users to be cautious when viewing calendar events and consider applying web application firewall (WAF) rules to detect and block malicious payloads targeting this vulnerability. [2, 3]