Miggo Logo
Miggo Vulnerability Database
CVE-2014-2571

CVE-2014-2571: Moodle cross-site scripting (XSS) vulnerability

N/A

CVSS Score

Basic Information

CVE ID
CVE-2014-2571
GHSA ID
GHSA-75c6-xqwr-v2r9
EPSS Score
0.43374%
CWE
CWE-79
Published
5/13/2022
Updated
1/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.4.92.4.9
moodle/moodlecomposer>= 2.5.0, < 2.5.52.5.5
moodle/moodlecomposer>= 2.6.0, < 2.6.22.6.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unescaped output of $questiontext in the quiz_question_tostring function. The GitHub patch explicitly adds the s() sanitization function to neutralize HTML/script content, confirming the lack of proper escaping in the original code. The test case in editlib_test.php further validates the XSS scenario by checking sanitized output. The direct correlation between the vulnerability description, CWE-79 classification, and the code change provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** quiz_qu*stion_tostrin* *un*tion in mo*/quiz/**itli*.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to inj**t *r*itr*ry w**

Reasoning

T** vuln*r**ility st*ms *rom t** un*s**p** output o* `$qu*stiont*xt` in t** `quiz_qu*stion_tostrin*` *un*tion. T** *it*u* p*t** *xpli*itly ***s t** `s()` s*nitiz*tion *un*tion to n*utr*liz* *TML/s*ript *ont*nt, *on*irmin* t** l**k o* prop*r *s**pin*