Wiz
Vulnerability DatabaseCVE-2021-32478

CVE-2021-32478
PHP vulnerability analysis and mitigation

Overview

The vulnerability (CVE-2021-32478) was identified in Moodle's LTI authorization endpoint, where insufficient sanitization of the redirect URI could lead to reflected XSS and open redirect risks. The issue affected Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, and earlier unsupported versions. The vulnerability was discovered by Jordan Tomkinson and was publicly disclosed on May 17, 2021 (Moodle Forum).

Technical details

The vulnerability was classified with CWE-601 and CWE-79, indicating both open redirect and cross-site scripting (XSS) vulnerabilities. The security flaw stemmed from insufficient sanitization of the redirect URI in the LTI (Learning Tools Interoperability) authorization endpoint (NVD).

Impact

The vulnerability could allow attackers to perform reflected XSS attacks and execute malicious open redirects through the LTI authorization endpoint, potentially compromising user security and privacy (Moodle Forum).

Mitigation and workarounds

The vulnerability was addressed in Moodle versions 3.11, 3.10.4, 3.9.7, and 3.8.9. Users running affected versions should upgrade to these patched versions to mitigate the security risk (Moodle Forum).

Additional resources

SourceThis report was generated using AI

Related PHP vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-898v-775g-777cCRITICAL9.4
  • PHPPHP
  • neuron-core/neuron-ai
NoYesDec 09, 2025
GHSA-5j8p-438x-rgg5CRITICAL9.3
  • PHPPHP
  • onelogin/php-saml
NoYesDec 09, 2025
GHSA-j8g6-5gqc-mq36HIGH8.2
  • PHPPHP
  • neuron-core/neuron-ai
NoYesDec 09, 2025
GHSA-pvcv-q3q7-266gHIGH8.1
  • PHPPHP
  • filament/filament
NoYesDec 09, 2025
GHSA-6w82-v552-wjw2HIGH7.1
  • PHPPHP
  • shopware/shopware
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo