Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61420

XSS HTML encode Payload Bug on Moodle Messages

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 3.3.4, 3.4, 3.4.1
    • Messages
    • MOODLE_33_STABLE, MOODLE_34_STABLE

      Dear,

      First go to the Messages within the Moodle.  Then Message someone with traditional alert JS.  It will be blocked.  Then let's encode the "<script>alert("Boom")</script>" into HTML encoding "<script>alert("Boom")</script>".  Then it will prompt a Alert Box.  If u continue the testing, .......

      So, I've found a Cross Site Scripting Bug in all the universities website using Moodle. 

      If you guys consider it as a bug, please don't forget to give a Certificate of Appreciation or other incentive rewards for me.  Unless, it's okay.

      Best Regards,

      Hein

            Unassigned Unassigned
            heinhtetkyaw Hein Htet Kyaw
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.