CVE-2019-3810

Vulnerability

A stored cross-site scripting (XSS) flaw exists in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15, and earlier unsupported versions. The /userpix/ page does not escape users' full names, which are included as text when hovering over profile images [1][2]. This page is not linked to by default and its access is restricted, meaning only users who know the URL or have the page bookmarked can reach it [2][4].

Exploitation

An attacker must have the ability to set or modify their own full name in Moodle (i.e., be an authenticated user with profile editing privileges). No special network position is required beyond normal web access to the Moodle instance. The attack requires no user interaction beyond the victim hovering over a profile image on the /userpix/ page. Once the attacker sets a malicious full name (e.g., containing JavaScript payloads), any user visiting the page and hovering over the image will trigger the payload in their browser [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the Moodle site. This can lead to session hijacking, defacement, or theft of sensitive data. The attacker gains the same privileges as the victim within the Moodle application [1][2].

Mitigation

Moodle has released patches for the affected versions. The fix was committed as MDL-64372 in the upstream Git repository [4]. Admins should upgrade to Moodle 3.6.2, 3.5.4, 3.4.7, 3.1.16, or later respective versions. If immediate upgrading is not possible, restricting access to the /userpix/ page via web server configuration or a .htaccess file can serve as a temporary workaround [2][4].