CVE-2015-3174

Name of the Vulnerable Software and Affected Versions Moodle versions 2.5.9 and earlier, 2.6.x before 2.6.11, 2.7.x before 2.7.8, 2.8.x before 2.8.6

Description The issue allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading, due to the failure to set the RISK XSS bit for graders in the mod/quiz/db/access.php file. This can be exploited by a remote attacker to perform XSS attacks.

Recommendations For versions 2.5.9 and earlier, update to a version later than 2.5.9. For versions 2.6.x before 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.8, update to version 2.7.8 or later. For versions 2.8.x before 2.8.6, update to version 2.8.6 or later. As a temporary workaround, consider restricting access to the gradebook feedback feature during manual quiz grading until a patch is available.