VDB

GCVE-110-MAGEIA-2015-229

GCVE-110-MAGEIA-2015-229
Advisory Published
Vulnetix · Advisory published May 18, 2015
Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.11, leaving gradebook feedback is a trusted action and such capabilities in other modules already have an XSS mask, 'mod/quiz:grade' was missing this flag (CVE-2015-3174). In Moodle before 2.6.11, some error messages display a button to return to the previous page. Redirecting to non-local referer should not be allowed as it can potentially be used for phising (CVE-2015-3175). In Moodle before 2.6.11, on sites with enabled self-registration, not registered users can retrieve fullname of registered users if they know their usernames (CVE-2015-3176). In Moodle before 2.6.11, if a user who is not XSS-trusted attempts to insert a script as part of the input text, it will be cleaned when displayed on the Moodle website but may be displayed uncleaned in the external application because external_format_text() cleans and formats text incorrectly when returning it from Web Services (CVE-2015-3178). In Moodle before 2.6.11, when self-registration is enabled and a user's account was suspended after creating the account but before actually confirming it, the user is still able to login when confirming their email, but only once (CVE-2015-3179). In Moodle before 2.6.11, if a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see the course structure in the navigation block (CVE-2015-3180). In Moodle before 2.6.11, users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using a deprecated function in Web Services (CVE-2015-3181).

Affected Products

VendorProductVersionsPlatforms
Mageiamoodle0 (affected), 2.6.11-1.mga4 (unaffected)

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›