Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58409

Self-XSS in autocomplete element (for example "Tags")

XMLWordPrintable

    • MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • MDL-58409-master_needs_clean_in_autocomplete_element
    • Easy
    • Hide
      1. Create a new activity instance (e.g. Assign) and edit the settings for this module once done.
      2. In the Tags text field under the Tags section, enter:

        <script>alert("XSS!");</script>

        and hit enter

      3. Verify you don't see a browser alert and;
      4. Verify you see the tag created above the field, with the content you entered.
      5. Repeat steps 1-4 for a course tag, using the course edit form.
      Show
      Create a new activity instance (e.g. Assign) and edit the settings for this module once done. In the Tags text field under the Tags section, enter: <script>alert( "XSS!" );</script> and hit enter Verify you don't see a browser alert and; Verify you see the tag created above the field, with the content you entered. Repeat steps 1-4 for a course tag, using the course edit form.

      I am reporting a XSS security issues in accordance with Bug in Tag feature.

      Tag feature in any pages has XSS vulnerability.

      Here are steps for how to reproduce below.

      (1) Create a new quiz instance, open edit from.

      (2) Enter <script> tag e.g(<script>alert("XSS!");</script>)

      (3) !?

        1. 2017-03-28_1254.png
          2017-03-28_1254.png
          91 kB
        2. MDL-58409_assignme nt.PNG
          MDL-58409_assignme nt.PNG
          32 kB
        3. MDL-58409_editcourse.PNG
          MDL-58409_editcourse.PNG
          13 kB

            davidcarrillo David Carrillo
            yue Takayuki Fuwa
            Jake Dallimore Jake Dallimore
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            1 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.