CVE-2021-47857: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

Published Jan 21, 2026

Updated

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

Affected Software

2 affected components

Moodle Moodle

Moodle Moodle=3.10.3

Event History

Jan 21, 2026

CVE Published

via MITRE·05:27 PM

Data Sourced

via MITRE·05:27 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·06:16 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2021-47857?

CVE-2021-47857 is classified as a medium severity vulnerability due to its potential for persistent cross-site scripting attacks.

How do I fix CVE-2021-47857?

To address CVE-2021-47857, upgrade to the latest version of Moodle that patches this vulnerability.

What versions of Moodle are affected by CVE-2021-47857?

CVE-2021-47857 specifically affects Moodle version 3.10.3.

Can CVE-2021-47857 be exploited remotely?

Yes, CVE-2021-47857 can be exploited remotely by an attacker crafting a malicious calendar event.

What type of vulnerability is CVE-2021-47857?

CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.