Dear,
First go to the Messages within the Moodle. Then Message someone with traditional alert JS. It will be blocked. Then let's encode the "<script>alert("Boom")</script>" into HTML encoding "<script>alert("Boom")</script>". Then it will prompt a Alert Box. If u continue the testing, .......
So, I've found a Cross Site Scripting Bug in all the universities website using Moodle.
If you guys consider it as a bug, please don't forget to give a Certificate of Appreciation or other incentive rewards for me. Unless, it's okay.
Best Regards,
Hein
- duplicates
-
MDL-61359 Self-XSS when sending message to another user
- Closed