[MOBILE-3733] Self-XSS in DM (Mobile app) - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.9.4
Fix Version/s: None
Component/s: Error reporting, Messages add-on
Labels:
- dm
- message
- mobile
- triaged
- xss

Affected Branches:
MOODLE_39_STABLE

Description

There is a way to self-xss in the mobile app (made on Android)

Steps:

Open dm with anybody (myself in my case)
Send "<img src=x onerror=alert(1)>"
It alert : "1"

(Reopen the DM doesn't reexecute the script, it only work on the sender at the sending)

It maybe can be injected with other way

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

20210411_194909.jpg
177 kB
12/Apr/21 2:38 AM
20210411_194925.jpg
112 kB
12/Apr/21 2:38 AM

Activity

People

Assignee:: Unassigned

Reporter:: djdjdjf

Participants:: Dani Palou, djdjdjf

Component watchers:

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Apr/21 2:37 AM

Updated:: 08/Jun/21 7:30 PM