-
Bug
-
Resolution: Not a bug
-
Major
-
None
-
2.9.1
-
None
-
MOODLE_29_STABLE
Hi,
I want to report you that i found security vulnerability in your application version 2.9.1 (build 20150903), I found Persistent Cross Site Scripting (XSS) under creation new course.
steps to reproduce:
1. login to admin account
2. go to course -> Manage Courses
3. put <script>alert(documnet.cookie)</script> in Course summary filed
this payload is executed if users go to course page (login user and guests)
attached POC video that show the attack, If you need any additional information fell free to contact with me...
Download POC video: http://1drv.ms/1LPPYZZ
more information regards the XSS and how to protect: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Please confirm that you received all needed details and verified this issue
Thanks,
Alex
- will be (partly) resolved by
-
MDL-58639 Remove RISK_XSS from capabilities, instead rely on moodle/site:trustcontent
-
- Reopened
-