Miggo Logo

CVE-2015-3174: Moodle does not set the RISK_XSS bit for graders

3.5

CVSS Score

Basic Information

EPSS Score
0.45329%
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:S/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.6.112.6.11
moodle/moodlecomposer>= 2.7.0, < 2.7.82.7.8
moodle/moodlecomposer>= 2.8.0, < 2.8.62.8.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the missing RISK_XSS declaration in the quiz grading capability. Moodle uses riskbitmask flags to determine when to sanitize user input. The patch explicitly adds RISK_XSS to 'mod/quiz:grade' in access.php, confirming this was the vulnerable configuration. The capability governs manual grading interactions where XSS payloads could be injected via feedback fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mo*/quiz/**/****ss.p*p in Moo*l* t*rou** *.*.*, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *o*s not s*t t** RISK_XSS *it *or *r***rs, w*i** *llows r*mot* *ut**nti**t** us*rs to *on*u*t *ross-sit* s*riptin* (XSS) *tt**ks vi* *r**t

Reasoning

T** vuln*r**ility st*ms *rom t** missin* RISK_XSS ***l*r*tion in t** quiz *r**in* **p**ility. Moo*l* us*s risk*itm*sk *l**s to **t*rmin* w**n to s*nitiz* us*r input. T** p*t** *xpli*itly ***s RISK_XSS to 'mo*/quiz:*r***' in ****ss.p*p, *on*irmin* t*i