cvelistv5 - cve-2021-20185

CVE-2021-20185 (GCVE-0-2021-20185)

Vulnerability from cvelistv5 – Published: 2021-01-28 19:01 – Updated: 2024-08-03 17:30

Summary

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

Severity ?

No CVSS data available.

CWE

CWE-400

Assigner

redhat

References

URL

Tags

https://moodle.org/mod/forum/discuss.php?d=417168

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	moodle	Affected: moodle 3.10.1, moodle 3.9.4, moodle 3.8.7, moodle 3.5.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:30:07.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moodle",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "moodle 3.10.1, moodle 3.9.4, moodle 3.8.7, moodle 3.5.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-28T19:01:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-20185",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "moodle",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "moodle 3.10.1, moodle 3.9.4, moodle 3.8.7, moodle 3.5.16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://moodle.org/mod/forum/discuss.php?d=417168",
              "refsource": "MISC",
              "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-20185",
    "datePublished": "2021-01-28T19:01:04",
    "dateReserved": "2020-12-17T00:00:00",
    "dateUpdated": "2024-08-03T17:30:07.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.5.0\", \"versionEndExcluding\": \"3.5.16\", \"matchCriteriaId\": \"23C5022F-A799-4279-8E31-BDAE6C98F87C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.8.0\", \"versionEndExcluding\": \"3.8.7\", \"matchCriteriaId\": \"4C0C5BDE-B2B5-4DE7-BDE0-831F3B56A9CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.9.0\", \"versionEndExcluding\": \"3.9.4\", \"matchCriteriaId\": \"47B9548F-912D-4D36-BE31-566EF2812EEA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:moodle:moodle:3.10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B9E83AE-D857-4F96-9466-1361E116D160\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que la mensajer\\u00eda no impon\\u00eda un l\\u00edmite de caracteres al enviar mensajes, lo que podr\\u00eda resultar en la denegaci\\u00f3n de servicio del lado del cliente (navegador) para los usuarios que recib\\u00edan mensajes muy grandes\"}]",
      "id": "CVE-2021-20185",
      "lastModified": "2024-11-21T05:46:05.473",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-01-28T20:15:13.133",
      "references": "[{\"url\": \"https://moodle.org/mod/forum/discuss.php?d=417168\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://moodle.org/mod/forum/discuss.php?d=417168\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-20185\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2021-01-28T20:15:13.133\",\"lastModified\":\"2024-11-21T05:46:05.473\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que la mensajer\u00eda no impon\u00eda un l\u00edmite de caracteres al enviar mensajes, lo que podr\u00eda resultar en la denegaci\u00f3n de servicio del lado del cliente (navegador) para los usuarios que recib\u00edan mensajes muy grandes\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5.0\",\"versionEndExcluding\":\"3.5.16\",\"matchCriteriaId\":\"23C5022F-A799-4279-8E31-BDAE6C98F87C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.8.0\",\"versionEndExcluding\":\"3.8.7\",\"matchCriteriaId\":\"4C0C5BDE-B2B5-4DE7-BDE0-831F3B56A9CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.0\",\"versionEndExcluding\":\"3.9.4\",\"matchCriteriaId\":\"47B9548F-912D-4D36-BE31-566EF2812EEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:3.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B9E83AE-D857-4F96-9466-1361E116D160\"}]}]}],\"references\":[{\"url\":\"https://moodle.org/mod/forum/discuss.php?d=417168\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://moodle.org/mod/forum/discuss.php?d=417168\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-057

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Moodle	Moodle	Moodle versions 3.8.x antérieures à 3.8.7
Moodle	Moodle	Moodle versions 3.10.x antérieures à 3.10.1
Moodle	Moodle	Moodle versions 3.5.x antérieures à 3.5.16
Moodle	Moodle	Moodle versions 3.9.x antérieures à 3.9.4

References

Title

Publication Time

Tags

Bulletin de sécurité Moodle MSA-21-0005 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0003 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0001 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0004 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0002 du 25 janvier 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Moodle versions 3.8.x ant\u00e9rieures \u00e0 3.8.7",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.10.x ant\u00e9rieures \u00e0 3.10.1",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.5.x ant\u00e9rieures \u00e0 3.5.16",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.9.x ant\u00e9rieures \u00e0 3.9.4",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-20186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20186"
    },
    {
      "name": "CVE-2021-20184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20184"
    },
    {
      "name": "CVE-2021-20185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20185"
    },
    {
      "name": "CVE-2021-20187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20187"
    },
    {
      "name": "CVE-2021-20183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20183"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-057",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-01-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire, un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0005 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417171"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0003 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0001 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417166"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0004 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417170"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0002 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417167"
    }
  ]
}

CERTFR-2021-AVI-057

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Moodle	Moodle	Moodle versions 3.8.x antérieures à 3.8.7
Moodle	Moodle	Moodle versions 3.10.x antérieures à 3.10.1
Moodle	Moodle	Moodle versions 3.5.x antérieures à 3.5.16
Moodle	Moodle	Moodle versions 3.9.x antérieures à 3.9.4

References

Title

Publication Time

Tags

Bulletin de sécurité Moodle MSA-21-0005 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0003 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0001 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0004 du 25 janvier 2021	None	vendor-advisory
Bulletin de sécurité Moodle MSA-21-0002 du 25 janvier 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Moodle versions 3.8.x ant\u00e9rieures \u00e0 3.8.7",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.10.x ant\u00e9rieures \u00e0 3.10.1",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.5.x ant\u00e9rieures \u00e0 3.5.16",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.9.x ant\u00e9rieures \u00e0 3.9.4",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-20186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20186"
    },
    {
      "name": "CVE-2021-20184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20184"
    },
    {
      "name": "CVE-2021-20185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20185"
    },
    {
      "name": "CVE-2021-20187",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20187"
    },
    {
      "name": "CVE-2021-20183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20183"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-057",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-01-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire, un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0005 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417171"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0003 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0001 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417166"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0004 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417170"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-21-0002 du 25 janvier 2021",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417167"
    }
  ]
}

GSD-2021-20185

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-20185

Aliases

CVE-2021-20185

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20185",
    "description": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.",
    "id": "GSD-2021-20185"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20185"
      ],
      "details": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.",
      "id": "GSD-2021-20185",
      "modified": "2023-12-13T01:23:12.534429Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2021-20185",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "moodle",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "moodle 3.10.1, moodle 3.9.4, moodle 3.8.7, moodle 3.5.16"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://moodle.org/mod/forum/discuss.php?d=417168",
            "refsource": "MISC",
            "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.5.0,\u003c3.5.16||\u003e=3.8.0,\u003c3.8.7||\u003e=3.9.0,\u003c3.9.4||=3.10.0",
          "affected_versions": "All versions starting from 3.5.0 before 3.5.16, all versions starting from 3.8.0 before 3.8.7, all versions starting from 3.9.0 before 3.9.4, version 3.10.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2022-10-21",
          "description": "It was found in Moodle that messaging does not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.",
          "fixed_versions": [
            "3.5.16",
            "3.8.7",
            "3.9.4",
            "3.10.1"
          ],
          "identifier": "CVE-2021-20185",
          "identifiers": [
            "CVE-2021-20185"
          ],
          "not_impacted": "All versions before 3.5.0, all versions starting from 3.5.16 before 3.8.0, all versions starting from 3.8.7 before 3.9.0, all versions starting from 3.9.4 before 3.10.0, all versions after 3.10.0",
          "package_slug": "packagist/moodle/moodle",
          "pubdate": "2021-01-28",
          "solution": "Upgrade to versions 3.5.16, 3.8.7, 3.9.4, 3.10.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-20185",
            "https://moodle.org/mod/forum/discuss.php?d=417168"
          ],
          "uuid": "4d3c039c-3787-4a5c-85c1-9cfe810ec2e1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.8.7",
                "versionStartIncluding": "3.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.4",
                "versionStartIncluding": "3.9.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.5.16",
                "versionStartIncluding": "3.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:moodle:moodle:3.10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-20185"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://moodle.org/mod/forum/discuss.php?d=417168",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-10-21T20:10Z",
      "publishedDate": "2021-01-28T20:15Z"
    }
  }
}

FKIE_CVE-2021-20185

Vulnerability from fkie_nvd - Published: 2021-01-28 20:15 - Updated: 2024-11-21 05:46

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	secalert@redhat.com	https://moodle.org/mod/forum/discuss.php?d=417168	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://moodle.org/mod/forum/discuss.php?d=417168	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
moodle	moodle	*
moodle	moodle	*
moodle	moodle	*
moodle	moodle	3.10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "23C5022F-A799-4279-8E31-BDAE6C98F87C",
              "versionEndExcluding": "3.5.16",
              "versionStartIncluding": "3.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C0C5BDE-B2B5-4DE7-BDE0-831F3B56A9CC",
              "versionEndExcluding": "3.8.7",
              "versionStartIncluding": "3.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47B9548F-912D-4D36-BE31-566EF2812EEA",
              "versionEndExcluding": "3.9.4",
              "versionStartIncluding": "3.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:3.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B9E83AE-D857-4F96-9466-1361E116D160",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que la mensajer\u00eda no impon\u00eda un l\u00edmite de caracteres al enviar mensajes, lo que podr\u00eda resultar en la denegaci\u00f3n de servicio del lado del cliente (navegador) para los usuarios que recib\u00edan mensajes muy grandes"
    }
  ],
  "id": "CVE-2021-20185",
  "lastModified": "2024-11-21T05:46:05.473",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-01-28T20:15:13.133",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-07532

Vulnerability from cnvd - Published: 2021-01-31

Title

Moodle资源管理错误漏洞

Description

Moodle是一套免费、开源的电子学习软件平台，也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle 3.10.1, 3.9.4, 3.8.7 and 3.5.16之前版本存在资源管理错误漏洞，消息传递在发送消息时没有施加字符限制，这可能会导致客户端（浏览器）拒绝接收非常大的消息的用户的服务。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Moodle资源管理错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://moodle.org/security/

Reference

https://www.auscert.org.au/bulletins/ESB-2021.0314/

Impacted products

Name
['Moodle Moodle 3.10.1', 'Moodle Moodle 3.9.4', 'Moodle Moodle 3.8.7', 'Moodle Moodle 3.5.16']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-20185",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-20185"
    }
  },
  "description": "Moodle\u662f\u4e00\u5957\u514d\u8d39\u3001\u5f00\u6e90\u7684\u7535\u5b50\u5b66\u4e60\u8f6f\u4ef6\u5e73\u53f0\uff0c\u4e5f\u79f0\u8bfe\u7a0b\u7ba1\u7406\u7cfb\u7edf\u3001\u5b66\u4e60\u7ba1\u7406\u7cfb\u7edf\u6216\u865a\u62df\u5b66\u4e60\u73af\u5883\u3002\n\nMoodle 3.10.1, 3.9.4, 3.8.7 and 3.5.16\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u6d88\u606f\u4f20\u9012\u5728\u53d1\u9001\u6d88\u606f\u65f6\u6ca1\u6709\u65bd\u52a0\u5b57\u7b26\u9650\u5236\uff0c\u8fd9\u53ef\u80fd\u4f1a\u5bfc\u81f4\u5ba2\u6237\u7aef\uff08\u6d4f\u89c8\u5668\uff09\u62d2\u7edd\u63a5\u6536\u975e\u5e38\u5927\u7684\u6d88\u606f\u7684\u7528\u6237\u7684\u670d\u52a1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://moodle.org/security/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-07532",
  "openTime": "2021-01-31",
  "patchDescription": "Moodle\u662f\u4e00\u5957\u514d\u8d39\u3001\u5f00\u6e90\u7684\u7535\u5b50\u5b66\u4e60\u8f6f\u4ef6\u5e73\u53f0\uff0c\u4e5f\u79f0\u8bfe\u7a0b\u7ba1\u7406\u7cfb\u7edf\u3001\u5b66\u4e60\u7ba1\u7406\u7cfb\u7edf\u6216\u865a\u62df\u5b66\u4e60\u73af\u5883\u3002\r\n\r\nMoodle 3.10.1, 3.9.4, 3.8.7 and 3.5.16\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u6d88\u606f\u4f20\u9012\u5728\u53d1\u9001\u6d88\u606f\u65f6\u6ca1\u6709\u65bd\u52a0\u5b57\u7b26\u9650\u5236\uff0c\u8fd9\u53ef\u80fd\u4f1a\u5bfc\u81f4\u5ba2\u6237\u7aef\uff08\u6d4f\u89c8\u5668\uff09\u62d2\u7edd\u63a5\u6536\u975e\u5e38\u5927\u7684\u6d88\u606f\u7684\u7528\u6237\u7684\u670d\u52a1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Moodle\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Moodle Moodle 3.10.1",
      "Moodle Moodle 3.9.4",
      "Moodle Moodle 3.8.7",
      "Moodle Moodle 3.5.16"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2021.0314/",
  "serverity": "\u9ad8",
  "submitTime": "2021-01-30",
  "title": "Moodle\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

GHSA-C3J6-33R4-89Q3

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-04-23 23:38

Summary

Moodle Client side denial of service via personal message

Details

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5"
            },
            {
              "fixed": "3.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8"
            },
            {
              "fixed": "3.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9"
            },
            {
              "fixed": "3.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10"
            },
            {
              "fixed": "3.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T23:38:01Z",
    "nvd_published_at": "2021-01-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.",
  "id": "GHSA-c3j6-33r4-89q3",
  "modified": "2024-04-23T23:38:01Z",
  "published": "2022-05-24T17:40:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20185"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=417168"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle Client side denial of service via personal message"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-20185 (GCVE-0-2021-20185)

CERTFR-2021-AVI-057

Solution

CERTFR-2021-AVI-057

Solution

GSD-2021-20185

FKIE_CVE-2021-20185

CNVD-2021-07532

GHSA-C3J6-33R4-89Q3

Tags

Sightings

Nomenclature