Moodle is susceptible to cross-site scripting (XSS) attacks. The attacks are possible because it does not sanitize the idnumber
parameter in cohort/edit.php
, allowing malicious authenticated users to input arbitrary web script or HTML through it.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691
openwall.com/lists/oss-security/2012/05/23/2
osvdb.org/82072
github.com/moodle/moodle/commit/4022860ea823b302ee60ddc37d0d9321b1961a83
github.com/moodle/moodle/commit/ad520779df8284958195494b23b12ec1c7387741
github.com/moodle/moodle/commit/eb9d9965767c7fd88db2e09935fe7431ec9e3e87
moodle.org/mod/forum/discuss.php?d=203055
security-tracker.debian.org/tracker/CVE-2012-2365