-
Bug
-
Resolution: Fixed
-
Critical
-
3.4.1, 3.5.1, 3.6
-
MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
-
MOODLE_34_STABLE, MOODLE_35_STABLE
-
MDL-61359-master -
We have received an email to security address at moodle with the description of self-XSS that can be easily reproduced. This is not a security issue because you can not attack other users.
Security Researcher: Dan Nino I. Fabro
Description and Impact:
I was continually browsing the website when I found something
interesting. One of the features of the website is to enable
communication with other users using the chatbox, url:
https://school.demo.moodle.net/message/index.php?user=[USERNUMBER]&id=[IDNUMBER],
now, the input field of the chatbox is the one vulnerable here wherein
an attacker may use this as an attack vector for injecting arbitrary
javascript code and enable himself to steal or edit cookies of other
users of the site.
I was only using demo account, what if real account already, right?Payload used:
"><img src=x onerror=prompt(document.cookie)>Browser used:
Google Chrome Version 61.0.3163.100 (Official Build)
(64-bit)