Danbardo/gist:4a6b0fe8cb21ec6d7c54e6ac951bdb0a

## gistfile1.txt
There is a persistent XSS in /course/modedit.php of Moodle 3.7.2 and prior which allows an attacker to inject harmful
scripts into the page which are executed in the browser of any user enrolled in a class via the introeditor[text]
parameter. This can also be done through the TinyMCE HTML editor itself.

With lecturer level access or above Moodle allows the addition of many different objects to the home page of a class.
Many of these objects allow a HTML based description to be added via a web based HTML editor. While there is a client
side sanitizer used, it can be very easily avoided by intercepting the HTTP request and adding a java script element to
the introeditor[text] parameter. Once the java script has been injected, it is executed on page load for any user who
accesses the page (including users with lower or higher level access). This could lead to very targeted denial of service
attacks, ransom, injection of harmful scripts, the collection of user information and a basis for social engineering attacks.

This XSS can be very easily used to lock students out of the unit page, or even force them to pay a ransom to access the
class content (for example right before an exam).

It could also very easily be used to trick students or users with higher level access into entering their password or to
simply grab other information available on the classes homepage.

Moodle recognizes that lecturers are "XSS-capable", but at the time of reporting this issue the ability was undocumented and the security implications were not disclosed.

It is also worth noting that href attributes are not cleaned of "javascript:".

The below CVE was assigned by MITRE.
CVE-2019-18210
	There is a persistent XSS in /course/modedit.php of Moodle 3.7.2 and prior which allows an attacker to inject harmful
	scripts into the page which are executed in the browser of any user enrolled in a class via the introeditor[text]
	parameter. This can also be done through the TinyMCE HTML editor itself.

	With lecturer level access or above Moodle allows the addition of many different objects to the home page of a class.
	Many of these objects allow a HTML based description to be added via a web based HTML editor. While there is a client
	side sanitizer used, it can be very easily avoided by intercepting the HTTP request and adding a java script element to
	the introeditor[text] parameter. Once the java script has been injected, it is executed on page load for any user who
	accesses the page (including users with lower or higher level access). This could lead to very targeted denial of service
	attacks, ransom, injection of harmful scripts, the collection of user information and a basis for social engineering attacks.

	This XSS can be very easily used to lock students out of the unit page, or even force them to pay a ransom to access the
	class content (for example right before an exam).

	It could also very easily be used to trick students or users with higher level access into entering their password or to
	simply grab other information available on the classes homepage.

	Moodle recognizes that lecturers are "XSS-capable", but at the time of reporting this issue the ability was undocumented and the security implications were not disclosed.

	It is also worth noting that href attributes are not cleaned of "javascript:".

	The below CVE was assigned by MITRE.
	CVE-2019-18210