https://pwnwiki.com/index.php?action=history&feed=atom&title=Moodle_3.10.3_XSS%E6%BC%8F%E6%B4%9EMoodle 3.10.3 XSS漏洞 - Revision history2026-04-07T20:02:02ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=Moodle_3.10.3_XSS%E6%BC%8F%E6%B4%9E&diff=1884&oldid=prevPwnwiki: 建立內容為「==XSS== <pre> # Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting # Date: 22/04/2021 # Exploit Author: UVision # Vendor Homepage: https://moodl…」的新頁面2021-04-24T01:33:07Z<p>建立內容為「==XSS== <pre> # Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting # Date: 22/04/2021 # Exploit Author: UVision # Vendor Homepage: https://moodl…」的新頁面</p>
<p><b>New page</b></p><div>==XSS==<br />
<pre><br />
# Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting<br />
# Date: 22/04/2021<br />
# Exploit Author: UVision<br />
# Vendor Homepage: https://moodle.org/<br />
# Software Link: https://download.moodle.org<br />
# Version: 3.10.3<br />
# Tested on: Debian/Windows 10<br />
<br />
By having the role of a teacher or an administrator or a manager (to have the possibility to create a course): <br />
<br />
- Create a new course (http://localhost/moodle/course/edit.php?category=1&returnto=topcat)<br />
- Give any name , short name, date and other things required.<br />
- In "Description" field, click on the "link" button<br />
- In the url field, enter the payload : <img src=1 href=1 onerror="javascript:alert(1)"></img><br />
- Create the link, an alert window appears (close it several times so that it disappears) , save the course. ("Save and return")<br />
<br />
Each time the course description is displayed, the stored xss is activated : activate it by viewing the course, by modifying it, etc.<br />
<br />
</pre></div>Pwnwiki