The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.9.0 (fixed in 3.9.2)

Packagist moodle/moodle

Affected versions: 3.8.0 (fixed in 3.8.5)

Packagist moodle/moodle

Affected versions: 3.7.0 (fixed in 3.7.8)

Packagist moodle/moodle

Affected versions: 3.5 (fixed in 3.5.14)

Related CVEs

CVE-2020-25628

Key Information

GHSA ID

GHSA-5x33-h32w-6vr2

Published

March 29, 2021 8:43 PM

Last Modified

March 24, 2021 11:14 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.