MSA-20-0015: Chapter name in book not always escaped with forceclean enabled
|
System information
|
| |
|
|
Affected software |
PHP |
Description
|
von Michael Hawkins. It was possible to include JavaScript in a books chapter title, which was not escaped on the "Add new chapter" page.Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7Versions fixed:3.9.2, 3.8.5 and 3.7.8Reported by:DegrangeMCVE
More info:
https://moodle.org/mod/forum/discuss.php?d=410843&parent=1657005 |
Standar resources
|
|
Property |
Value |
|
CVE |
CVE-2020-25631. |
