CVE-2014-7830
Moodle < 2.4.11 and 2.5.x < 2.5.9 - Authenticated Cross-Site Scripting via Feedback Module Searchcourse Parameter
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031215
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/71119
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/11/17/11
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=275147
Scores
EPSS
0.0021
EPSS Percentile
43.0%
Details
CWE
CWE-79
Status
published
Products (20)
moodle/moodle
2.5.0
moodle/moodle
2.5.1
moodle/moodle
2.5.2
moodle/moodle
2.5.3
moodle/moodle
2.5.4
moodle/moodle
2.5.5
moodle/moodle
2.5.6
moodle/moodle
2.5.7
moodle/moodle
2.5.8
moodle/moodle
2.6.0
... and 10 more
Published
Nov 24, 2014
Tracked Since
Feb 18, 2026