Skip to content

danielthatcher/moodle-login-csrf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
shell
shell
 
 
README.md
README.md
 
 
attack.html
attack.html
 
 
cookie.php
cookie.php
 
 
moodle.js
moodle.js
 
 
plugin.zip
plugin.zip
 
 
recv.php
recv.php
 
 

Repository files navigation

This repository contains the files used in finding and exploiting two moodle bugs, MSA-18-0020 (CVE-2018-16854) and MSA-19-0004 (CVE-2019-3847), which leverage the ability for users to add JavaScript to their own dashboards. MSA-18-0020 relies on CSRF on the login form, whereas MSA-19-0004 requires an administrator to impersonate a user.

More details can be found in this blog post.

Fixed moodle versions

  • MSA-18-0020 (CVE-2018-16854): 3.6, 3.5.3, 3.4.6, 3.3.9, and 3.1.15.
  • MSA-19-0004 (CVE-2019-3847): 3.6.3, 3.5.5, 3.4.8, and 3.1.17.

About

Scripts for exploiting MSA-18-0020 (CVE-2018-16854) and MSA-19-0004 (CVE-2019-3847)

medium.com/@daniel.thatcher/obtaining-xss-using-moodle-features-and-minor-bugs-2035665989cc

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages