Description

An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.

Remediation

References

CVE-2018-1136

Related Vulnerabilities

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-2687)

WordPress Plugin WooCommerce Anti-Fraud Security Bypass (3.2)

ProjectSend Insertion of Sensitive Information into Log File Vulnerability (CVE-2019-11492)

WordPress 3.8.x Cross-Site Scripting Vulnerability (3.8 - 3.8.11)

TYPO3 Insertion of Sensitive Information into Log File Vulnerability (CVE-2021-32767)

Severity

Medium

Classification

CVE-2018-1136 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities