Topic: | Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine |
Severity/Risk: | Major (if global search enabled) |
Versions affected: | <1.8.12 and <1.9.8 |
Reported by: | Sascha Herzog |
Issue no.: | MDL-21649 |
Solution: | upgrade to 1.8.12 or 1.9.8 |
Workaround: | apply patch http://cvs.moodle.org/moodle/search/query.php?r1=1.16.2.10&r2=1.16.2.11 |
Description:
Sascha Herzog found a problem in the handling of user submitted data in global search forms. This problem is exploitable only when global search is enabled. Please note that the global search feature is still listed as experimental and is disabled by default.