Security announcements

MSA-18-0004: XSS in calendar event name

 
Picture of Marina Glancy
MSA-18-0004: XSS in calendar event name
 

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed: 3.3.4, 3.2.7 and 3.1.10
Reported by: Rubens Brandao
CVE identifier: CVE-2018-1045
Changes (3.3): https://git.moodle.org/gw?p=moodle.git&a=search&h=MOODLE_33_STABLE&st=commit&s=MDL-60235
Tracker issue: MDL-60235 XSS in event name in block_calendar