CVE-2018-1045
Description
Moodle 3.x stored XSS in calendar event names allows attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle 3.x stored XSS in calendar event names allows attackers to inject arbitrary JavaScript.
Vulnerability
Moodle versions 3.0 through 3.3.3, 3.2.6 and earlier, 3.1.9 and earlier contain a stored cross-site scripting (XSS) vulnerability in the calendar event name field [1][2]. The application fails to properly sanitize user-supplied input when creating or editing calendar events, allowing arbitrary HTML and JavaScript to be persisted [2].
Exploitation
An attacker with the ability to create or modify calendar events (typically an authenticated user with relevant permissions) can include malicious script code in the event name [2]. No special network position is required beyond access to the Moodle instance; the attack can be carried out via the standard calendar event interface. The injected payload is stored and subsequently executed when other users view the event.
Impact
Successful exploitation leads to stored cross-site scripting, which can result in theft of session cookies, defacement, or other actions performed in the context of the victim's browser session [1][2]. The attacker does not gain elevated server-side privileges directly, but can perform any action the victim user is authorized for.
Mitigation
Moodle has fixed this vulnerability in versions 3.3.4, 3.2.7, and 3.1.10 [2]. Users should upgrade to these or later versions. No workarounds are documented in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.3, < 3.3.4 | 3.3.4 |
moodle/moodlePackagist | >= 3.2, < 3.2.7 | 3.2.7 |
moodle/moodlePackagist | >= 3.1, < 3.1.10 | 3.1.10 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-595j-wpfg-23w4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1045ghsaADVISORY
- www.securityfocus.com/bid/102755mitrevdb-entryx_refsource_BID
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
- web.archive.org/web/20210124134120/http://www.securityfocus.com/bid/102755ghsaWEB
News mentions
0No linked articles in our index yet.