CVE-2014-7835

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.x through 2.6.5 Moodle versions 2.7.x through 2.7.2

Description The issue allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks. This is possible because the webservice/upload.php file does not ensure that a file upload is for a private or draft area. The attacks can be conducted by specifying the profile-picture area.

Recommendations For Moodle versions 2.6.x through 2.6.5, update to version 2.6.6 or later. For Moodle versions 2.7.x through 2.7.2, update to version 2.7.3 or later.