CVE-2019-3810

MEDIUM

moodle 3.1.0-3.1.15 3.6.0-3.6.1 - Cross-Site Scripting in User Profile Image Hover Text

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-3810. PoCs published by Fariskhi Vidyan, farisv.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Moodle versions prior to 3.6.2, 3.5.4, 3.4.7, and 3.1.16. The PoC leverages a stored XSS in the user profile fields to execute JavaScript, which then escalates the attacker's privileges to administrator by extracting the sesskey and making a POST request to the admin role assignment endpoint.

Description

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

Exploits (2)

exploitdb WORKING POC

by Fariskhi Vidyan · textwebappsphp

https://www.exploit-db.com/exploits/49814

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Moodle versions prior to 3.6.2, 3.5.4, 3.4.7, and 3.1.16. The PoC leverages a stored XSS in the user profile fields to execute JavaScript, which then escalates the attacker's privileges to administrator by extracting the sesskey and making a POST request to the admin role assignment endpoint.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16

Auth required

Prerequisites: Attacker must have a student account in Moodle · Administrator must visit the /userpix/ page or a link containing the malicious payload · External hosting of the XSS payload (e.g., Pastebin)

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 17 stars

by farisv · poc

https://github.com/farisv/Moodle-CVE-2019-3810

View Code ZIP pw:eip

This is a working PoC for CVE-2019-3810, a stored XSS vulnerability in Moodle that allows privilege escalation from student to admin. The exploit involves injecting malicious JavaScript via user profile fields, which executes when an admin visits the `/userpix/` page.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Moodle (< 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16)

Auth required

Prerequisites: Student account access · Admin interaction with `/userpix/` page

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/162399/Moodle-3.6.1-Cross-Site-Scripting.html

Issue Tracking, Patch, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3810

Patch, Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=381230#p1536767

Scores

CVSS v3 6.1

EPSS 0.0838

EPSS Percentile 92.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

moodle/moodle 3.1.0 - 3.1.15

moodle/moodle 3.6.0 - 3.6.1Packagist

Published Mar 25, 2019

Tracked Since Feb 18, 2026