Moodle PDF Annotator Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Moodle PDF Annotator plugin, version 1.5 release 9. This issue allows low-privileged authenticated users, such as students, to inject arbitrary JavaScript into the Public Comments feature. The injected script is executed in the browsers of other users, including students, teachers, and admins, when they view the annotated PDF. This exploitation could lead to session hijacking, credential theft, or other actions controlled by the attacker.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the PDF. This could result in session theft, unauthorized actions performed in the victim's session, manipulation of the user interface, or potentially chaining attacks depending on the context.

Reproduction

To reproduce this vulnerability, a low-privileged user (e.g., a student) must add a public comment to an annotated PDF using the PDF Annotator plugin. This comment can include unescaped HTML or JavaScript. Once the comment is saved, another user (such as a teacher or admin) must open the same annotated PDF. The injected script will execute in their browser, demonstrating the cross-site scripting vulnerability.