CVE-2015-3274

MEDIUM

Moodle <2.9.1 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.

References (4)

[Patch] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1032877

[Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=316664

[Mailing List] http://openwall.com/lists/oss-security/2015/07/13/2

Scores

CVSS v3 6.1

EPSS 0.0026

EPSS Percentile 48.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (29)

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

... and 14 more

Timeline

Published Feb 22, 2016

Tracked Since Feb 18, 2026