Miggo Logo
Miggo Vulnerability Database
CVE-2016-2152

CVE-2016-2152: Moodle XSS from profile fields from external db

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-2152
GHSA ID
GHSA-6mxm-wpqv-675h
EPSS Score
0.57388%
CWE
CWE-79
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 2.7, < 2.7.132.7.13
moodle/moodlecomposer>= 2.8, < 2.8.112.8.11
moodle/moodlecomposer>= 2.9, < 2.9.52.9.5
moodle/moodlecomposer>= 3.0, < 3.0.33.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing input sanitization when handling external database profile fields. The patches (e.g., 3b214760) introduced core_user::get_property_definition() and clean_data() to apply PARAM_* validation. Vulnerable versions lacked these sanitization steps in auth/db/auth.php's user synchronization/update logic, making sync_users and update_user_record the entry points for untrusted data. The commit diffs show added clean_data() calls in these flows, confirming the prior absence of validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in *ut*/**/*ut*.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* *

Reasoning

T** vuln*r**ility st*mm** *rom missin* input s*nitiz*tion w**n **n*lin* *xt*rn*l **t***s* pro*il* *i*l*s. T** p*t***s (*.*., ********) intro*u*** *or*_us*r::**t_prop*rty_***inition() *n* *l**n_**t*() to *pply P*R*M_* v*li**tion. Vuln*r**l* v*rsions l