A reflected cross-site scripting (XSS) vulnerability (CVE-2024-43439) has been identified in Moodle, allowing an attacker to execute arbitrary JavaScript within the context of a Moodle website when a victim visits a specially crafted link.
The vulnerability was discovered during a penetration test of a Moodle-based website. The attack is possible when a teacher, who could also be the victim, uploads an H5P file to a course. While the H5P file itself does not contain malicious content, an attacker (such as a malicious student) can obtain and modify the link associated with this file. By replacing part of the link with double URL-encoded JavaScript code, the attacker can create a link that, when viewed by the victim, triggers execution of the embedded JavaScript code. This is possible because an error message related to H5P files is not properly sanitized before it is displayed.
An attacker could execute arbitrary JavaScript code within the victim’s Moodle session, which could lead to actions such as session hijacking or unauthorized data access.
It is recommended to upgrade to the latest version of Moodle to fix this vulnerability.