# Exploit Title: Moodle 3.10.3 - 'url' Persistent Cross Site Scripting  
# Date: 22/04/2021  
# Exploit Author: UVision  
# Vendor Homepage:  
# Software Link:  
# Version: 3.10.3  
# Tested on: Debian/Windows 10  
By having the role of a teacher or an administrator or a manager (to have the possibility to create a course):   
- Create a new course (http://localhost/moodle/course/edit.php?category=1&returnto=topcat)  
- Give any name , short name, date and other things required.  
- In "Description" field, click on the "link" button  
- In the url field, enter the payload : <img src=1 href=1 onerror="javascript:alert(1)"></img>  
- Create the link, an alert window appears (close it several times so that it disappears) , save the course. ("Save and return")  
Each time the course description is displayed, the stored xss is activated : activate it by viewing the course, by modifying it, etc.