MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint

by Michael Hawkins.  

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.


Severity/Risk:Minor
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Jordan Tomkinson
CVE identifier:CVE-2021-32478
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622
Tracker issue:MDL-70622 Reflected XSS and open redirect in LTI authorization endpoint

Read more https://moodle.org/mod/forum/discuss.php?d=422314&parent=1701639