CVE-2015-3274
MEDIUMMoodle 2.7.0-2.7.8 - Cross-Site Scripting in User Details Web Service
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.
References (4)
Core 4
Core References
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2015/07/13/2
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032877
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=316664
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
48.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (29)
moodle/moodle
2.6.0
moodle/moodle
2.6.1
moodle/moodle
2.6.2
moodle/moodle
2.6.3
moodle/moodle
2.6.4
moodle/moodle
2.6.5
moodle/moodle
2.6.6
moodle/moodle
2.6.7
moodle/moodle
2.6.8
moodle/moodle
2.6.9
... and 19 more
Published
Feb 22, 2016
Tracked Since
Feb 18, 2026