Moodle 2.8.x < 2.8.2 XSS
Medium Nessus Network Monitor Plugin ID 8724
SynopsisThe remote web server is hosting a web application that is vulnerable to a cross-site scripting (XSS) attack.
DescriptionThe remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.8.x prior to 2.8.2 contain a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'mod/lesson/db/access.php' script does not validate input to essay feedback when grading lessons before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (MSA-15-0006 / CVE-2015-0216)
SolutionUpgrade to Moodle version 2.8.2 or later.