Title: Moodle 2.7 Persistent XSS Vendor: https://moodle.org/ Moodle advisory: https://moodle.org/mod/forum/discuss.php?d=264265 Researched by: Osanda Malith Jayathissa (@OsandaMalith) E-Mail: osanda[cat]unseen.is Original write-up: http://osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss/ [-] POC ================ 1. Edit your profile 2. Click Optional 3. In Skype ID field inject this payload x" onload="prompt('XSS by Osanda')">" [-] Disclosure Timeline ======================== 2014-05-24: Responsibly disclosed to the Vendor 2014-05-27: Suggested a fix 2014-06-04: Fix got accepted 2014-07-21: Vendor releases a security announcement 2014-07-24: Released Moodle 2.7.1 stable with all patches