CVE-2015-3274: XSS
First published: Mon Feb 22 2016(Updated: )
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.9.0<2.9.1 | 2.9.1 |
| composer/moodle/moodle | >=2.8.0<2.8.7 | 2.8.7 |
| composer/moodle/moodle | >=2.7.0<2.7.9 | 2.7.9 |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 | |
| Moodle | =2.6.2 | |
| Moodle | =2.6.3 | |
| Moodle | =2.6.4 | |
| Moodle | =2.6.5 | |
| Moodle | =2.6.6 | |
| Moodle | =2.6.7 | |
| Moodle | =2.6.8 | |
| Moodle | =2.6.9 | |
| Moodle | =2.6.10 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.7.6 | |
| Moodle | =2.7.7 | |
| Moodle | =2.7.8 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 | |
| Moodle | =2.8.4 | |
| Moodle | =2.8.5 | |
| Moodle | =2.8.6 | |
| Moodle | =2.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130
- http://openwall.com/lists/oss-security/2015/07/13/2
- http://www.securitytracker.com/id/1032877
- https://moodle.org/mod/forum/discuss.php?d=316664
- https://nvd.nist.gov/vuln/detail/CVE-2015-3274
- https://github.com/moodle/moodle/commit/7b15a363201109354bbd6d51a7c70f50dac7b9d8
- https://github.com/moodle/moodle/commit/a809a8dccea222a31e0828d4f17889035e6d1a36
- https://github.com/moodle/moodle/commit/e96e66aa16dca5cbcdb1aef0f9499edf86f1404b
- https://github.com/moodle/moodle/commit/ffe5c784889b3f7b2ba11cf9db881d54904623b7
- https://web.archive.org/web/20150924032214/http://www.securitytracker.com/id/1032877
- https://github.com/advisories/GHSA-f7qm-q26p-6rr2 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-3274?
CVE-2015-3274 is considered a high severity vulnerability due to its potential for remote code execution via cross-site scripting (XSS).
How do I fix CVE-2015-3274?
To fix CVE-2015-3274, upgrade to Moodle versions 2.7.9, 2.8.7, or 2.9.1 or later, for a secure resolution.
Who is affected by CVE-2015-3274?
CVE-2015-3274 affects Moodle versions 2.6 through 2.9 prior to their respective patches.
What type of vulnerability is CVE-2015-3274?
CVE-2015-3274 is a cross-site scripting (XSS) vulnerability which allows attackers to inject malicious scripts into web pages.
Can CVE-2015-3274 allow unauthorized access?
Yes, CVE-2015-3274 can potentially allow unauthorized attackers to execute scripts in a user's browser session.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f7qm-q26p-6rr2
- alias/CVE-2015-3274
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.6.0
- version/moodle/2.6.1
- version/moodle/2.6.2
- version/moodle/2.6.3
- version/moodle/2.6.4
- version/moodle/2.6.5
- version/moodle/2.6.6
- version/moodle/2.6.7
- version/moodle/2.6.8
- version/moodle/2.6.9
- version/moodle/2.6.10
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.7.6
- version/moodle/2.7.7
- version/moodle/2.7.8
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3
- version/moodle/2.8.4
- version/moodle/2.8.5
- version/moodle/2.8.6
- version/moodle/2.9.0