Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61420

XSS HTML encode Payload Bug on Moodle Messages

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Duplicate
    • 3.3.4, 3.4, 3.4.1
    • None
    • Messages
    • MOODLE_33_STABLE, MOODLE_34_STABLE

    Description

      Dear,

      First go to the Messages within the Moodle.  Then Message someone with traditional alert JS.  It will be blocked.  Then let's encode the "<script>alert("Boom")</script>" into HTML encoding "<script>alert("Boom")</script>".  Then it will prompt a Alert Box.  If u continue the testing, .......

      So, I've found a Cross Site Scripting Bug in all the universities website using Moodle. 

      If you guys consider it as a bug, please don't forget to give a Certificate of Appreciation or other incentive rewards for me.  Unless, it's okay.

      Best Regards,

      Hein

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              heinhtetkyaw Hein Htet Kyaw
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: