header-logo
Suggest Exploit
vendor:
Moodle
by:
Osanda Malith Jayathissa
7.5
CVSS
HIGH
Persistent XSS
79
CWE
Product Name: Moodle
Affected Version From: Moodle 2.7
Affected Version To: Moodle 2.7.1
Patch Exists: YES
Related CWE:
CPE: a:moodle:moodle:2.7
Metasploit:
Other Scripts:
Platforms Tested:
2014

Moodle 2.7 Persistent XSS

The vulnerability allows an attacker to inject malicious code into the Skype ID field of a user's profile, leading to a persistent XSS attack.

Mitigation:

Upgrade to Moodle 2.7.1 or later which includes the necessary patches.
Source

Exploit-DB raw data:

Title: Moodle 2.7 Persistent XSS
Vendor: https://moodle.org/
Moodle advisory: https://moodle.org/mod/forum/discuss.php?d=264265
Researched by: Osanda Malith Jayathissa (@OsandaMalith)
E-Mail: osanda[cat]unseen.is
Original write-up: http://osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss/

[-] POC
================

1. Edit your profile
2. Click Optional
3. In Skype ID field inject this payload

x" onload="prompt('XSS by Osanda')">"

[-] Disclosure Timeline
========================

2014-05-24: Responsibly disclosed to the Vendor
2014-05-27: Suggested a fix
2014-06-04: Fix got accepted
2014-07-21: Vendor releases a security announcement 
2014-07-24: Released Moodle 2.7.1 stable with all patches