A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.9 (fixed in 3.9.2)

Packagist moodle/moodle

Affected versions: 3.8 (fixed in 3.8.5)

Packagist moodle/moodle

Affected versions: 3.7 (fixed in 3.7.8)

Related CVEs

CVE-2020-25631

Key Information

GHSA ID

GHSA-4w4j-9533-82qg

Published

May 24, 2022 5:35 PM

Last Modified

April 23, 2024 11:37 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.