Description
Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services.
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032358
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=313685
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74726
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2015/05/18/1
Scores
EPSS
0.0021
EPSS Percentile
43.0%
Details
CWE
CWE-79
Status
published
Products (36)
moodle/moodle
2.5.0
moodle/moodle
2.5.1
moodle/moodle
2.5.2
moodle/moodle
2.5.3
moodle/moodle
2.5.4
moodle/moodle
2.5.5
moodle/moodle
2.5.6
moodle/moodle
2.5.7
moodle/moodle
2.5.8
moodle/moodle
2.6.0
... and 26 more
Published
Jun 01, 2015
Tracked Since
Feb 18, 2026