MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services

MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services

by Marina Glancy -
Number of replies: 0
Description: If user who is not XSS-trusted attempts to insert the XSS as part of the input text, it will be cleaned when displayed on Moodle website but may be displayed uncleaned in the external application
Issue summary: external_format_text() cleans and formats text incorrectly
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Eloy Lafuente
Issue no.: MDL-49718
CVE identifier: CVE-2015-3178
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718