Headline
CVE-2021-36568: Blog Hacking Force
In certain Moodle products after creating a course, it is possible to add in a arbitrary “Topic” a resource, in this case a “Database” with the type “Text” where its values “Field name” and “Field description” are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
Description
After the creation of a course it is possible to add into the resources database, with text input, where in the “Field name” and “Field description” are vulnerable to Cross-Site Scripting Stored (XSS)
Proof of Concept (POC)
To exploit the vulnerability it is necessary that an user gets access to the course and click into the option “Search”
The affected fields are: “Field name” and "Field description", both text input.
Attacker****Victim
Affected Versions
- 3.9.7
- 3.10.4
- 3.11
Researchers/Hackers
Thiago Martins (Kirito), Leandro Inacio (Saitama), Matheus Oliveira (Froyd) e Lucas Gomes (Sinnat)