CVE-2015-2273: XSS
First published: Mon Jun 01 2015(Updated: )
Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.8.0<2.8.4 | 2.8.4 |
| composer/moodle/moodle | >=2.7.0<2.7.6 | 2.7.6 |
| composer/moodle/moodle | <2.6.9 | 2.6.9 |
| Moodle | <=2.5.9 | |
| Moodle | =2.5.0 | |
| Moodle | =2.5.1 | |
| Moodle | =2.5.2 | |
| Moodle | =2.5.3 | |
| Moodle | =2.5.4 | |
| Moodle | =2.5.5 | |
| Moodle | =2.5.6 | |
| Moodle | =2.5.7 | |
| Moodle | =2.5.8 | |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 | |
| Moodle | =2.6.2 | |
| Moodle | =2.6.3 | |
| Moodle | =2.6.4 | |
| Moodle | =2.6.5 | |
| Moodle | =2.6.6 | |
| Moodle | =2.6.7 | |
| Moodle | =2.6.8 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364
- http://openwall.com/lists/oss-security/2015/03/16/1
- https://moodle.org/mod/forum/discuss.php?d=307387
- https://nvd.nist.gov/vuln/detail/CVE-2015-2273
- https://github.com/moodle/moodle/commit/71aeb8a9cb4cf06f0b4aa49daf527e5c866db30e
- https://github.com/moodle/moodle/commit/8b6fcfa958204c6f26c410b9a9757612b326b6c7
- https://github.com/moodle/moodle/commit/ceab40d186e241a9c239392954c6afdc3e2c3a4f
- https://github.com/moodle/moodle/commit/f1fb96b698876bece46e8606b3c6c78889265e2b
- https://github.com/advisories/GHSA-w77v-xpxr-c6pv (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-2273?
The severity of CVE-2015-2273 is considered medium as it allows remote authenticated users to inject arbitrary web scripts or HTML.
How do I fix CVE-2015-2273?
To fix CVE-2015-2273, upgrade Moodle to version 2.6.9, 2.7.6, or 2.8.4 or later.
Which versions of Moodle are affected by CVE-2015-2273?
Moodle versions from 2.5.0 up to 2.5.9, and 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 are affected.
What type of vulnerability is CVE-2015-2273?
CVE-2015-2273 is a cross-site scripting (XSS) vulnerability.
Who can exploit CVE-2015-2273?
CVE-2015-2273 can be exploited by remote authenticated users leveraging the student role.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-w77v-xpxr-c6pv
- alias/CVE-2015-2273
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.5.9
- version/moodle/2.5.0
- version/moodle/2.5.1
- version/moodle/2.5.2
- version/moodle/2.5.3
- version/moodle/2.5.4
- version/moodle/2.5.5
- version/moodle/2.5.6
- version/moodle/2.5.7
- version/moodle/2.5.8
- version/moodle/2.6.0
- version/moodle/2.6.1
- version/moodle/2.6.2
- version/moodle/2.6.3
- version/moodle/2.6.4
- version/moodle/2.6.5
- version/moodle/2.6.6
- version/moodle/2.6.7
- version/moodle/2.6.8
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3