| Vulnerability Name: | CVE-2019-18210 (CCN-176244) | ||||||||||||
| Assigned: | 2019-10-19 | ||||||||||||
| Published: | 2019-10-19 | ||||||||||||
| Updated: | 2021-12-21 | ||||||||||||
| Summary: | Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. Note: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." | ||||||||||||
| CVSS v3 Severity: | 5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)
| ||||||||||||
| CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-79 | ||||||||||||
| Vulnerability Consequences: | Cross-Site Scripting | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-18210 Source: MISC Type: Vendor Advisory https://docs.moodle.org/38/en/Teacher_role Source: XF Type: UNKNOWN moodle-cve201918210-xss(176244) Source: CCN Type: GitHub Web site Moodle 3.7.2 and Prior Persistent XSS on Unit Pages Source: MISC Type: Third Party Advisory https://gist.github.com/Danbardo/4a6b0fe8cb21ec6d7c54e6ac951bdb0a Source: CCN Type: Moodle Web site Moodle - Open-source learning platform | Moodle.org | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||