moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://moodle.org/mod/forum/discuss.php?d=376025 | patch vendor advisory |
| http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62857 | patch vendor advisory |
| http://www.securityfocus.com/bid/105371 | vdb entry third party advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14631 | issue tracking third party advisory patch |