-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 2.7.10 | 2.7.10 |
| moodle/moodle | composer | >= 2.8.0, < 2.8.8 | 2.8.8 |
| moodle/moodle | composer | >= 2.9.0, < 2.9.2 | 2.9.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the removal of the 'noclean = true' parameter in the format_text call shown in the commit diff. The 'noclean' parameter explicitly bypasses Moodle's built-in XSS protection mechanisms when processing user-supplied content. By setting this parameter (as seen in the pre-patch code), the system failed to sanitize the grouping description input, making the XSS injection possible. The patch fixes this by removing the 'noclean' override, forcing proper sanitization.