PT-2016-1291 · Moodle · Moodle
Martin Greenaway
·
Published
2015-08-03
·
Updated
2022-05-13
·
CVE-2015-3275
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Moodle versions prior to 2.6.11
Moodle versions 2.7.x before 2.7.9
Moodle versions 2.8.x before 2.8.7
Moodle versions 2.9.x before 2.9.1
Description
The SCORM module in Moodle contains multiple cross-site scripting (XSS) vulnerabilities due to the lack of protection of the web page structure. This allows a remote attacker to inject arbitrary web script or HTML via a crafted organization name to the "mod/scorm/player.php" or "mod/scorm/prereqs.php" API endpoints.
Recommendations
For versions prior to 2.6.11, update to version 2.6.11 or later.
For versions 2.7.x before 2.7.9, update to version 2.7.9 or later.
For versions 2.8.x before 2.8.7, update to version 2.8.7 or later.
For versions 2.9.x before 2.9.1, update to version 2.9.1 or later.
As a temporary workaround, consider restricting access to the "mod/scorm/player.php" and "mod/scorm/prereqs.php" API endpoints until a patch is available.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Moodle