{"id":"CVE-2018-1136","details":"An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.","aliases":["GHSA-xhfw-wjjc-4j5h"],"modified":"2026-04-10T04:04:26.849024Z","published":"2018-05-25T12:29:00.370Z","references":[{"type":"ADVISORY","url":"https://moodle.org/mod/forum/discuss.php?d=371202"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104307"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moodle/moodle","events":[{"introduced":"268abfacc54c4cbf9722c1502569b311c7caefff"},{"last_affected":"e25e165231ed061c4278ce3694d2e1e4d4d3d142"},{"introduced":"b182239f21c38ea57cddb41b0c03ef3eb02709f8"},{"last_affected":"2a591e36a9783c364d1c55d8988b5630d073bc93"},{"introduced":"b87a580aa3eb23d5f05d7f619fc40a89e0f86fe5"},{"last_affected":"e786a591d538204fad37f188018f8c82f69a28f2"},{"introduced":"665c3ac59c35b7387a4fc70b8ac6600ce9ffeb87"},{"last_affected":"c485e424475b41d3ae55cc3c742fed9cd19a1e75"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"last_affected":"3.1.11"},{"introduced":"3.2.0"},{"last_affected":"3.2.8"},{"introduced":"3.3.0"},{"last_affected":"3.3.5"},{"introduced":"3.4.0"},{"last_affected":"3.4.2"}]}}],"versions":["v3.1.0","v3.1.1","v3.1.10","v3.1.11","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.4.0","v3.4.1","v3.4.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}