CVE-2019-18210 in Moodle
Summary
by MITRE
** DISPUTED ** Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug.�
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
CVE-2019-18210 represents a persistent cross-site scripting vulnerability found in Moodle's course management functionality, specifically within the /course/modedit.php script through version 3.7.2. This vulnerability stems from inadequate input validation and sanitization of the introeditor[text] parameter, which allows authenticated users with Teacher roles or higher to inject malicious JavaScript code into the session of other users within the same Moodle instance. The flaw operates through a classic persistent XSS attack vector where the malicious payload is stored on the server and subsequently executed whenever affected users view the compromised content, creating a dangerous attack surface that can be exploited against students or even site administrators who have elevated privileges.
The technical implementation of this vulnerability involves the improper handling of user-supplied content within the rich text editor interface of Moodle's course module editing functionality. When teachers or higher-privileged users create or modify course modules, the system accepts the introeditor[text] parameter without sufficient sanitization, allowing attackers to embed JavaScript payloads that can execute in the contexts of other users' browsers. This vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, specifically the persistent variant where malicious input is stored and then executed in the victim's browser context. The attack requires minimal privileges since authenticated users with Teacher roles can exploit this without needing administrator-level access, making it particularly concerning for educational institutions that rely on Moodle's role-based access control.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it can enable attackers to escalate privileges, steal sensitive information, or perform unauthorized actions within the Moodle environment. When executed against administrators or high-privilege users, the JavaScript payloads can potentially compromise entire institutional learning management systems, allowing attackers to modify course content, access student records, manipulate grades, or even execute arbitrary commands on the server if additional vulnerabilities exist. The persistent nature of this XSS flaw means that once exploited, the malicious code continues to execute for all affected users until manually removed, creating a long-term security risk that can persist across multiple user sessions and browser visits.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, and represents a critical weakness in Moodle's input validation architecture that could be exploited as part of broader attack campaigns targeting educational institutions. The vendor's classification of this as a false positive reflects a fundamental disagreement about trust boundaries within Moodle's role-based security model, where the expectation that teachers should be trusted with code execution capabilities conflicts with security best practices that advocate for least privilege principles. Organizations should implement additional security controls such as Content Security Policy headers, enhanced input validation, and regular security audits to mitigate the risk of such vulnerabilities, while also reconsidering role assignments and privilege escalation mechanisms within their Moodle deployments to prevent unauthorized code injection attacks.