Skip to main content

Moodle CVE-2015-5337

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2016-02-22 secalert@redhat.com
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 22, 2016 - 05:59 cve.org
MEDIUM 6.1

DescriptionCVE.org

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

AnalysisAI

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. Affected products include: Moodle. Version information: through 2.6.11.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Moodle

View all
CVE-2013-3630 MEDIUM POC
4.6 Nov 01

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell

CVE-2021-21809 CRITICAL POC
9.1 Jun 23

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. Rated critical severi

CVE-2024-43425 HIGH POC
8.1 Nov 07

A flaw was found in Moodle. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authenticatio

CVE-2017-2641 CRITICAL POC
9.8 Mar 26

In Moodle 2.x and 3.x, SQL injection can occur via user preferences. Rated critical severity (CVSS 9.8), this vulnerabil

CVE-2025-34031 HIGH POC
7.5 Jun 24

The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query param

CVE-2013-4341 MEDIUM POC
4.3 Sep 16

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, an

CVE-2016-9187 HIGH POC
8.8 Nov 04

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remo

CVE-2016-9186 HIGH POC
8.8 Nov 04

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows re

CVE-2018-14630 HIGH POC
8.8 Sep 17

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional re

CVE-2018-1133 HIGH POC
8.8 May 25

An issue was discovered in Moodle 3.x. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low a

CVE-2016-7919 HIGH POC
7.5 Oct 28

Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injectio

CVE-2021-47857 HIGH POC
7.2 Jan 21

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows

Share

CVE-2015-5337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy