Moodle vulnerable to stored Cross-site Scripting
Moderate severity
GitHub Reviewed
Published
May 16, 2023
to the GitHub Advisory Database
•
Updated Nov 11, 2023
Description
Published by the National Vulnerability Database
May 16, 2023
Published to the GitHub Advisory Database
May 16, 2023
Reviewed
May 17, 2023
Last updated
Nov 11, 2023
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in
/admin/settings.php
. This vulnerability may lead an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.References