Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Moodle 2.8.x < 2.8.2 XSS

Medium

Synopsis

The remote web server is hosting a web application that is vulnerable to a cross-site scripting (XSS) attack.

Description

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.8.x prior to 2.8.2 contain a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'mod/lesson/db/access.php' script does not validate input to essay feedback when grading lessons before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (MSA-15-0006 / CVE-2015-0216)

Solution

Upgrade to Moodle version 2.8.2 or later.