CVE-2015-5269

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.10, 2.8.x before 2.8.8, 2.9.x before 2.9.2

Description The issue exists due to insufficient protection of the web page structure in the group/overview.php function of the Moodle learning management system. This allows a remote attacker to inject arbitrary web or HTML code by modifying the grouping description, potentially leading to cross-site scripting (XSS).

Recommendations For versions 2.6.11 and earlier, update to version 2.6.12 or later. For versions 2.7.x before 2.7.10, update to version 2.7.10 or later. For versions 2.8.x before 2.8.8, update to version 2.8.8 or later. For versions 2.9.x before 2.9.2, update to version 2.9.2 or later. As a temporary workaround, consider restricting access to the group/overview.php page until a patch is available. Avoid using modified grouping descriptions in the affected API endpoint until the issue is resolved.