Moodle: reflected xss risk in some returnurl parameters
Description
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 3.9.19 | 3.9.19 |
moodle/moodlePackagist | >= 3.10.0, < 3.11.12 | 3.11.12 |
moodle/moodlePackagist | >= 4.0.0-beta, < 4.0.6 | 4.0.6 |
moodle/moodlePackagist | >= 4.1.0-beta, < 4.1.1 | 4.1.1 |
Affected products
3- osv-coords2 versions
>= 3.9.0, < 3.9.19+ 1 more
- (no CPE)range: >= 3.9.0, < 3.9.19
- (no CPE)range: < 3.9.19
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied data in returnurl parameters allows injection of arbitrary HTML and script code."
Attack vector
A remote attacker crafts a malicious link containing a `returnurl` parameter with embedded JavaScript or HTML payload. When a victim clicks the link, the unsanitized return URL is rendered in the browser context of the vulnerable Moodle site, allowing the attacker to execute arbitrary script code. The attack requires no authentication and can be delivered via email, social engineering, or other means of tricking a user into following the crafted link [CWE-79] [ref_id=1].
Affected code
The vulnerability affects multiple Moodle files that handle `returnurl` parameters: `course/switchrole.php`, `backup/backupfilesedit_form.php`, `blog/external_blog_edit_form.php`, `mod/wiki/filesedit_form.php`, `question/bank/history/history.php`, `question/bank/previewquestion/preview.php`, and `user/action_redir.php`. These files accepted user-supplied return URLs with `PARAM_RAW` or `PARAM_URL` types, which allowed arbitrary input without sufficient sanitization [patch_id=6651204].
What the fix does
The patch changes the parameter type from `PARAM_RAW` or `PARAM_URL` to `PARAM_LOCALURL` in seven files [patch_id=6651204]. `PARAM_LOCALURL` restricts the value to a local Moodle URL, preventing attackers from injecting arbitrary JavaScript or HTML into the return URL. This ensures that only safe, local paths are accepted and rendered, closing the cross-site scripting vector.
Preconditions
- authThe victim must be logged into a Moodle instance running a vulnerable version
- inputThe attacker must craft a URL with a malicious returnurl parameter
- networkThe victim must click the crafted link (e.g., via email or social engineering)
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-97qf-pq7x-964mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23921ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.