CVE-2018-1136
Description
Authenticated users in Moodle 3.x can move HTML blocks with scripts from their personal Dashboard to other pages, leading to stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users in Moodle 3.x can move HTML blocks with scripts from their personal Dashboard to other pages, leading to stored XSS.
Vulnerability
An issue in Moodle 3.x allows authenticated users to add HTML blocks containing scripts to their personal Dashboard. While a personal Dashboard is normally only visible to the user, the vulnerability arises because users can move such a block to other pages (e.g., course pages, site home) where other users can view it. This affects all Moodle 3.x versions. [1]
Exploitation
An attacker needs an authenticated Moodle account. They create an HTML block with a malicious script on their Dashboard, then use the block's move functionality to place it on a page accessible to other users. No special privileges beyond a standard user account are required. [1]
Impact
Successful exploitation results in stored cross-site scripting (XSS). Other users viewing the affected page will execute the attacker's script, potentially leading to session hijacking, data theft, or defacement. [1]
Mitigation
The provided references do not specify a fixed version or release date. Administrators should monitor Moodle security advisories and upgrade to a patched version when available. As a workaround, consider restricting the ability to move blocks or disabling the HTML block type. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.1, < 3.1.12 | 3.1.12 |
moodle/moodlePackagist | >= 3.2, < 3.2.9 | 3.2.9 |
moodle/moodlePackagist | >= 3.3, < 3.3.6 | 3.3.6 |
moodle/moodlePackagist | >= 3.4, < 3.4.3 | 3.4.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xhfw-wjjc-4j5hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1136ghsaADVISORY
- www.securityfocus.com/bid/104307ghsavdb-entryx_refsource_BIDWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.