Description
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.
References
onurcangenc.com.tr/...xss-via-pdf-upload-and-chatbot-ınput/
github.com/onurcangnc/moodle_genai_plugin_xss
moodle.org/plugins/local_geniai
