CVE-2019-18210: 
PHP vulnerability analysis and mitigation

Persistent XSS vulnerability (CVE-2019-18210) affects Moodle through version 3.7.2, allowing authenticated users with Teacher role or above to inject JavaScript into the session of other users (enrolled students or site administrators) via the introeditor[text] parameter in /course/modedit.php. The vulnerability was discovered in 2019 and disclosed by February 2020 (NVD, Gist Advisory).

The vulnerability exists in the course editing functionality (/course/modedit.php) where teachers can add HTML-based descriptions to course objects. While there is a client-side sanitizer, it can be bypassed by intercepting the HTTP request and injecting JavaScript code via the introeditor[text] parameter. The injected JavaScript executes on page load for any user accessing the page. The vulnerability has a CVSS v3.1 Base Score of 5.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could be exploited to perform targeted denial of service attacks, deploy ransomware, inject malicious scripts, collect user information, and enable social engineering attacks. Attackers could potentially lock students out of unit pages, force ransom payments for access to class content (particularly critical before exams), trick users into revealing passwords, or steal information from the class homepage (Gist Advisory).

There is a disagreement between the discoverer and vendor regarding this vulnerability. Moodle's position is that teachers are intentionally trusted with the ability to add arbitrary JavaScript, though this capability was not documented on Moodle's Teacher_role page at the time. The vendor has classified this as a false positive rather than a bug (NVD, Teacher Role).