Moodle Atto Editor Cross Site Scripting ≈ Packet Storm – Digitalmunition

Exploit/Advisories no image

Published on March 27th, 2021 📆 | 3807 Views ⚑


Moodle Atto Editor Cross Site Scripting ≈ Packet Storm

# Exploit Title: Moodle Atto Editor Cross Site Scripting
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link:
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
# My Youtube Channel:


Video PoC: (Update)

Stored XSS in Atto Editor (default editor)

Use Demo:

Choose a role : Student (example)

Open calendar :

Create new event:


Event Title “Test”

Description :Choose Insert Video File and choose Video:

Video Source Url you can paste video link from youtube

And open Subtitles and Captions:

Subtitle track URL use video link from youtube

Field Label : There is we can use xss code:

or try in base64

type=”image/svg+xml” AllowScriptAccess=”always”>

Insert Media and save this.

Open event and get stored xss.

Or we can use Profile:

Field Label in the Editor vulnerable to XSS.

We can use XSS and js redirect in the profile:




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 996


Connection: keep-alive


Cookie: MoodleSession=4ea0036558425526decc096ed375b886;


Source link

Tagged with:

Leave a Reply