Listen to this Post
The vulnerability in Moodle’s policy tool arises due to insufficient sanitization of the return URL parameter, allowing attackers to inject malicious JavaScript code. When a user is redirected back after accepting a policy, the return URL is reflected in the response without proper validation. An attacker can craft a URL with a malicious script, which executes in the victim’s browser when they visit the manipulated link. This could lead to session hijacking, phishing, or unauthorized actions under the victim’s credentials.
DailyCVE Form:
Platform: Moodle
Version: <4.1.18, 4.3.0-4.3.11, 4.4.0-4.4.7, 4.5.0-4.5.3
Vulnerability: Reflected XSS
Severity: Moderate
Date: Apr 25, 2025
What Undercode Say:
Exploitation:
- Craft a malicious URL with JavaScript payload in the `returnurl` parameter:
https://vulnerable-moodle.com/mod/policy/accept.php?returnurl=javascript:alert(document.cookie)
- Trick a user into clicking the link via phishing.
3. The script executes in the victim’s session.
Detection:
- Check Moodle version:
grep "\$version" /path/to/moodle/version.php
- Scan for vulnerable endpoints:
curl -sk "https://target.com/mod/policy/accept.php?returnurl=test" | grep "test"
Mitigation:
- Update Moodle to patched versions (4.1.18, 4.3.12, 4.4.8, 4.5.4).
2. Implement input filtering:
$returnurl = filter_var($_GET['returnurl'], FILTER_VALIDATE_URL);
3. Use Content Security Policy (CSP) headers:
Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"
4. Manual patch for unpatched versions:
// In accept.php, sanitize returnurl before use $returnurl = htmlspecialchars($returnurl, ENT_QUOTES, 'UTF-8');
Additional Checks:
- Audit logs for suspicious redirects:
grep "mod/policy/accept.php" /var/log/moodle/access.log
- Test with automated scanners:
python3 xsstrike.py -u "https://target.com/mod/policy/accept.php"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
