Client-side prototype pollution for Moodle

Client-side prototype pollution for Moodle

by Shravan K -
Number of replies: 2

We are using Moodle 3.11 and would like to know about the client prototype pollution for Moodle.
During the security report it was found that while accessing any of pages on Moodle and in the console if we try to create the object and trying to change the value, it is getting changed.
This is considered as client prototype pollution. 

As with this hacker can get the internal value of the object using _proto_ and modify the original value of the object data and process the request with modified object.
Could you please help here to mitigate this?
Adding the screenshot here for reference.

Attachment ptp.png
Average of ratings: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

by Michael Hawkins -
Piksa bilong Core developers Piksa bilong Moodle HQ Piksa bilong Particularly helpful Moodlers Piksa bilong Peer reviewers Piksa bilong Testers

Hi Shravan,

What you are achieving here is creating an object in the browser console, and then manipulating your own object. JavaScript can be executed in the browser console as that is its purpose. You will be able to paste the same code snipped into the console on any website and achieve the same output.

Although in this case the information is not a security issue, please carefully read the following, which is an excerpt from information published at the very top of this forum:

Please do not post security scans or vulnerability findings in this public forum. Any potential vulnerabilities can be submitted via the Security Submission form, which adheres to our Security Procedures and Responsible Disclosure Policy.

Average of ratings: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

by Marcus Green -
Piksa bilong Core developers Piksa bilong Particularly helpful Moodlers Piksa bilong Plugin developers Piksa bilong Testers
This is how the web works. You can do anything you want to javascript items in your own browser on any web site. But Michael is the real expert on this.
Average of ratings: -