Danbardo Danbardo
Danbardo
/ gist:4a6b0fe8cb21ec6d7c54e6ac951bdb0a
Last active
May 24, 2022 12:14
Moodle 3.7.2 and Prior Persistent XSS on Unit Pages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| There is a persistent XSS in /course/modedit.php of Moodle 3.7.2 and prior which allows an attacker to inject harmful | |
| scripts into the page which are executed in the browser of any user enrolled in a class via the introeditor[text] | |
| parameter. This can also be done through the TinyMCE HTML editor itself. | |
| With lecturer level access or above Moodle allows the addition of many different objects to the home page of a class. | |
| Many of these objects allow a HTML based description to be added via a web based HTML editor. While there is a client | |
| side sanitizer used, it can be very easily avoided by intercepting the HTTP request and adding a java script element to | |
| the introeditor[text] parameter. Once the java script has been injected, it is executed on page load for any user who | |
| accesses the page (including users with lower or higher level access). This could lead to very targeted denial of service | |
| attacks, ransom, injection of harmful scripts, the collection of user information and a basis for social engineerin |