It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions |
| Versions fixed: | 3.3.4, 3.2.7 and 3.1.10 |
| Reported by: | Rubens Brandao |
| CVE identifier: | CVE-2018-1045 |
| Changes (3.3): | https://git.moodle.org/gw?p=moodle.git&a=search&h=MOODLE_33_STABLE&st=commit&s=MDL-60235 |
| Tracker issue: | MDL-60235 XSS in event name in block_calendar |