It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.5 (fixed in 3.5.16)

Packagist moodle/moodle

Affected versions: 3.8 (fixed in 3.8.7)

Packagist moodle/moodle

Affected versions: 3.9 (fixed in 3.9.4)

Packagist moodle/moodle

Affected versions: 3.10 (fixed in 3.10.1)

Related CVEs

CVE-2021-20187

Key Information

GHSA ID

GHSA-2jrm-gww7-wch2

Published

May 24, 2022 5:40 PM

Last Modified

April 23, 2024 11:37 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.