-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 2.6.11 | 2.6.11 |
| moodle/moodle | composer | >= 2.7.0, < 2.7.8 | 2.7.8 |
| moodle/moodle | composer | >= 2.8.0, < 2.8.6 | 2.8.6 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the external_format_text function in lib/externallib.php. The commit diff shows that in vulnerable versions, when raw mode was disabled, the function forced the text format to FORMAT_HTML and used format_text() with 'noclean' => true. This bypassed Moodle's standard HTML sanitization, allowing malicious scripts to remain in the output. The patch removed 'noclean' and adjusted the format handling, confirming the vulnerability was directly tied to this function's logic.