PT-2024-18: Stored Cross-Site Scripting (Stored XSS) in Moodle Vendor: MoodleProduct: MoodleVulnerable version: 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and earlier unsupported versionsVulnerability type:- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Identifier (ID):BDU:2024-04201CVE-2024-33998Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N- Severity (CVSSv3.1): 6.8 (medium)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N- Severity (CVSSv4.0): 6.8 (medium)Description:The vulnerability was identified in Moodle versions 4.0 - 4.3.3, 4.2 - 4.2.6, 4.1 - 4.1.9 and older unsupported versions.Insufficient escaping of participants' names in the page table leads to Stored XSS attack when interacting with some features.Discovered vulnerability allows an attacker to execute arbitrary JavaScript code in victim's browser.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 22.02.24Recommendations: Update to versions 4.3.4, 4.2.7 and 4.1.10 or higherAdditional information: Security BulletinResearcher: Aleksey Solovev (Positive Technologies)