CVE-2021-47857 – Moodle 3.10.3 contains a persistent cross-site ... (How to Fix)

Q: What is the severity of CVE-2021-47857?

CVE-2021-47857 has a CVSS score of 7.2 (HIGH). Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in calendar event subtitles that allows attackers to inject malicious JavaScript. When users view a crafted calendar event, the malicious script executes in their browser, potentially stealing credentials or performing unauthorized actions. All Moodle instances running the affected version are vulnerable.

📋 TL;DR

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in calendar event subtitles that allows attackers to inject malicious JavaScript. When users view a crafted calendar event, the malicious script executes in their browser, potentially stealing credentials or performing unauthorized actions. All Moodle instances running the affected version are vulnerable.

💻 Affected Systems

Products:

Moodle

Versions: 3.10.3 specifically

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where users have calendar event creation privileges. The vulnerability is in the subtitle field of calendar events.

📦 What is this software?

Moodle by Moodle

View all CVEs affecting Moodle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, compromise user accounts, deface the platform, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Attackers with calendar event creation privileges could steal session cookies, perform actions as other users, or deploy phishing attacks against users viewing the malicious events.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to have calendar event creation privileges. Public exploit code is available, making this easy to weaponize for attackers with the necessary access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10.4 and later

Vendor Advisory: https://moodle.org/

Restart Required: No

Instructions:

1. Backup your Moodle installation and database. 2. Download Moodle 3.10.4 or later from moodle.org. 3. Replace the affected files with the patched version. 4. Clear Moodle caches from Site administration > Development > Purge all caches.

🔧 Temporary Workarounds

Disable calendar event creation

all

Temporarily restrict calendar event creation permissions to prevent exploitation while patching.

Navigate to Site administration > Users > Permissions > Define roles > Edit role capabilities > Search for 'moodle/calendar:manageentries' > Set to 'Prevent'

Content Security Policy

all

Implement a strict Content Security Policy header to block inline script execution.

Add to web server config: Content-Security-Policy: script-src 'self' https://trusted.cdn.example;

🧯 If You Can't Patch

Implement web application firewall rules to block XSS payloads in calendar event submissions
Regularly audit calendar events for suspicious content and remove any containing script tags or JavaScript

🔍 How to Verify

Check if Vulnerable:

Check Moodle version in Site administration > Notifications page. If version is exactly 3.10.3, the system is vulnerable.

Check Version:

Check Moodle config.php or visit Site administration > Notifications in web interface

Verify Fix Applied:

After patching, verify version shows 3.10.4 or later. Test by creating a calendar event with <script>alert('test')</script> in subtitle - it should display as plain text, not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual calendar event creation patterns
Calendar events containing script tags or JavaScript in subtitles
Multiple failed login attempts following calendar event views

Network Indicators:

Outbound connections to suspicious domains following calendar event access
Unusual POST requests to calendar event creation endpoints

SIEM Query:

source="moodle_logs" AND (event="calendar_event_created" AND subtitle CONTAINS "<script>") OR (event="user_login" AND src_ip!=user_normal_ip)

📊 Metadata

CVE ID: CVE-2021-47857

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: January 21, 2026

Last Updated: March 5, 2026

🔗 References

https://moodle.org/ Product
https://www.exploit-db.com/exploits/49714 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/moodle-label-persistent-cross-site-scripting Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47857, you might also want to check these: