Miggo Logo

CVE-2015-3274: Moodle cross-site scripting (XSS) vulnerability

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.48854%
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 2.7.0, < 2.7.92.7.9
moodle/moodlecomposer>= 2.8.0, < 2.8.72.8.7
moodle/moodlecomposer>= 2.9.0, < 2.9.12.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from user_get_user_details() in user/lib.php handling custom profile fields. The commit diff shows the patched version added conditional use of display_data() (which includes formatting/escaping) instead of raw 'data' property for text/textareas. The CVE description explicitly mentions the absence of external_format_text call in web services as the root cause, which corresponds to this function's pre-patch behavior of using unescaped $formfield->data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in t** us*r_**t_us*r_**t*ils *un*tion in us*r/li*.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML *y

Reasoning

T** vuln*r**ility st*ms *rom us*r_**t_us*r_**t*ils() in us*r/li*.p*p **n*lin* *ustom pro*il* *i*l*s. T** *ommit *i** s*ows t** p*t**** v*rsion ***** *on*ition*l us* o* *ispl*y_**t*() (w*i** in*lu**s *orm*ttin*/*s**pin*) inst*** o* r*w '**t*' prop*rty