Miggo Logo
Miggo Vulnerability Database
CVE-2015-0216

CVE-2015-0216: Moodle does not set the RISK_XSS bit for graders

3.5

CVSS Score

Basic Information

CVE ID
CVE-2015-0216
GHSA ID
GHSA-2jcw-r79x-4r5v
EPSS Score
0.45471%
CWE
CWE-79
Published
5/13/2022
Updated
1/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 2.8.0, < 2.8.22.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the missing RISK_XSS flag in the grade capability definition. The patch explicitly adds RISK_XSS to the riskbitmask (RISK_SPAM | RISK_XSS), indicating this was the core issue. While no traditional 'functions' are involved, Moodle's capability system uses these riskbitmask declarations to enforce security handling. The access.php modification directly addresses the XSS vulnerability by properly categorizing the risk profile of the grading operation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ss.p*p in t** L*sson mo*ul* in Moo*l* *.*.x ***or* *.*.* *o*s not s*t t** RISK_XSS *it *or *r***rs, w*i** *llows r*mot* *ut**nti**t** us*rs to *on*u*t *ross-sit* s*riptin* (XSS) *tt**ks vi* *r**t** *ss*y *******k.

Reasoning

T** vuln*r**ility st*ms *rom t** missin* RISK_XSS *l** in t** *r*** **p**ility ***inition. T** p*t** *xpli*itly ***s RISK_XSS to t** risk*itm*sk (RISK_SP*M | RISK_XSS), in*i**tin* t*is w*s t** *or* issu*. W*il* no tr**ition*l '*un*tions' *r* involv**