Moodle 3.10.3 url Persistent Cross Site Scripting

2021.05.02

Credit: UVision

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting
# Date: 22/04/2021
# Exploit Author: UVision
# Vendor Homepage: https://moodle.org/
# Software Link: https://download.moodle.org
# Version: 3.10.3
# Tested on: Debian/Windows 10
By having the role of a teacher or an administrator or a manager (to have the possibility to create a course):
- Create a new course (http://localhost/moodle/course/edit.php?category=1&returnto=topcat)
- Give any name , short name, date and other things required.
- In "Description" field, click on the "link" button
- In the url field, enter the payload : <img src=1 href=1 onerror="javascript:alert(1)"></img>
- Create the link, an alert window appears (close it several times so that it disappears) , save the course. ("Save and return")
Each time the course description is displayed, the stored xss is activated : activate it by viewing the course, by modifying it, etc.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Moodle 3.10.3 url Persistent Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.