Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61420

XSS HTML encode Payload Bug on Moodle Messages

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Duplicate
    • 3.3.4, 3.4, 3.4.1
    • None
    • Messages
    • MOODLE_33_STABLE, MOODLE_34_STABLE

    Description

      Dear,

      First go to the Messages within the Moodle.  Then Message someone with traditional alert JS.  It will be blocked.  Then let's encode the "<script>alert("Boom")</script>" into HTML encoding "<script>alert("Boom")</script>".  Then it will prompt a Alert Box.  If u continue the testing, .......

      So, I've found a Cross Site Scripting Bug in all the universities website using Moodle. 

      If you guys consider it as a bug, please don't forget to give a Certificate of Appreciation or other incentive rewards for me.  Unless, it's okay.

      Best Regards,

      Hein

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61359 Self-XSS when sending message to another user

          • Critical - Crashes server, loss of data, severe memory leak
          • Closed

          Activity

            People

              Unassigned Unassigned
              heinhtetkyaw Hein Htet Kyaw
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: