CVE-2019-18210

Name of the Vulnerable Software and Affected Versions Moodle versions 3.7.2 and earlier

Description The issue allows authenticated users, such as those with a Teacher role or above, to inject JavaScript into another user's session, including enrolled students or site administrators, via the introeditor[text] parameter in the /course/modedit.php endpoint. There is a disagreement between the discoverer and the vendor regarding the expectation of trust for users authenticated as Teachers to add arbitrary JavaScript, as this ability is not documented on Moodle's Teacher role page.

Recommendations For Moodle versions 3.7.2 and earlier, as a temporary workaround, consider disabling the ability for Teachers to edit course modules or restrict access to the /course/modedit.php endpoint until a resolution is provided. Avoid using the introeditor[text] parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.