CVE-2021-21809 – This vulnerability allows authenticated adminis... (How to Fix)

Q: What is the severity of CVE-2021-21809?

CVE-2021-21809 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated administrators in Moodle to execute arbitrary commands on the server through the legacy spellchecker plugin. Attackers with admin privileges can exploit specially crafted HTTP requests to achieve remote code execution. Only Moodle installations with administrator accounts at risk are affected.

📋 TL;DR

This vulnerability allows authenticated administrators in Moodle to execute arbitrary commands on the server through the legacy spellchecker plugin. Attackers with admin privileges can exploit specially crafted HTTP requests to achieve remote code execution. Only Moodle installations with administrator accounts at risk are affected.

💻 Affected Systems

Products:

Moodle

Versions: 3.10.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privileges and legacy spellchecker plugin enabled

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and persistent backdoor installation

🟠

Likely Case

Administrator account takeover leading to data manipulation, user impersonation, and further system exploitation

🟢

If Mitigated

Limited impact due to strong access controls, monitoring, and network segmentation

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin credentials but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.4, 3.9.7, 3.8.10, and later

Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=423167

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files with patched versions. 4. Clear Moodle cache. 5. Verify functionality.

🔧 Temporary Workarounds

Disable Legacy Spellchecker Plugin

all

Disable the vulnerable spellchecker plugin to prevent exploitation

Navigate to Site administration > Plugins > Text editors > TinyMCE HTML editor > Spell engine and set to 'Browser based' or disable spellchecking

🧯 If You Can't Patch

Implement strict access controls and monitoring for administrator accounts
Network segmentation to limit Moodle server access and egress traffic

🔍 How to Verify

Check if Vulnerable:

Check Moodle version via Site administration > Notifications page or version.php file

Check Version:

grep "\$release" moodle/version.php

Verify Fix Applied:

Verify version is 3.10.4 or higher and spellchecker plugin is disabled or updated

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity, HTTP requests to spellchecker endpoints with suspicious parameters

Network Indicators:

HTTP POST requests containing command injection patterns to spellchecker paths

SIEM Query:

source="moodle_logs" AND (url="*/lib/editor/tinymce/plugins/spellchecker/*" AND (param="cmd" OR param="command"))

📊 Metadata

CVE ID: CVE-2021-21809

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: June 23, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/164481/Moodle-SpellChecker-Path-Authenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/164481/Moodle-SpellChecker-Path-Authenticated-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21809, you might also want to check these: