The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.10 (fixed in 3.10.4)

Packagist moodle/moodle

Affected versions: 3.9 (fixed in 3.9.7)

Packagist moodle/moodle

Affected versions: 3.8 (fixed in 3.8.9)

Related CVEs

CVE-2021-32478

Key Information

GHSA ID

GHSA-78fm-qhh8-8858

Published

March 12, 2022 12:00 AM

Last Modified

July 12, 2023 12:02 AM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.