Search for vulnerabilities
Vulnerability details: VCID-rctc-2tw7-6yf3
Vulnerability ID VCID-rctc-2tw7-6yf3
Aliases CVE-2021-36400
GHSA-35wf-3wq2-r3hx
Summary Moodle has Incorrect Default Permissions In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-276 Incorrect Default Permissions
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2021-36400
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2021-36400
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-35wf-3wq2-r3hx
cvssv3.1 5.3 https://github.com/moodle/moodle
generic_textual MODERATE https://github.com/moodle/moodle
cvssv3.1 5.3 https://moodle.org/mod/forum/discuss.php?d=424806
generic_textual MODERATE https://moodle.org/mod/forum/discuss.php?d=424806
ssvc Track https://moodle.org/mod/forum/discuss.php?d=424806
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2021-36400
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-36400
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-36400
https://github.com/moodle/moodle
https://moodle.org/mod/forum/discuss.php?d=424806
https://nvd.nist.gov/vuln/detail/CVE-2021-36400
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
GHSA-35wf-3wq2-r3hx https://github.com/advisories/GHSA-35wf-3wq2-r3hx
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/moodle/moodle
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://moodle.org/mod/forum/discuss.php?d=424806
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-07T18:03:17Z/ Found at https://moodle.org/mod/forum/discuss.php?d=424806
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-36400
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.41871
EPSS Score 0.00195
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:15:18.419434+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-35wf-3wq2-r3hx/GHSA-35wf-3wq2-r3hx.json 36.1.3