MSA-18-0004: XSS in calendar event name

by Marina Glancy.  

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


Severity/Risk:Minor
Versions affected:3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed:3.3.4, 3.2.7 and 3.1.10
Reported by:Rubens Brandao
CVE identifier:CVE-2018-1045
Changes (3.3):https://git.moodle.org/gw?p=moodle.git&a=search&h=MOODLE_33_STABLE&st=commit&s=MDL-60235
Tracker issue:MDL-60235 XSS in event name in block_calendar

Read more https://moodle.org/mod/forum/discuss.php?d=364384&parent=1469494