Low severityNVD Advisory· Published Jul 29, 2014· Updated May 6, 2026
CVE-2014-3544
CVE-2014-3544
Description
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.4.11 | 2.4.11 |
moodle/moodlePackagist | >= 2.5.0, < 2.5.7 | 2.5.7 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.4 | 2.6.4 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
35cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.3.11
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
Patches
40207466e778bMDL-45683 user: Escaping Skype ID used in profile
1 file changed · +1 −1
user/profile.php+1 −1 modified@@ -334,7 +334,7 @@ if ($user->skype && !isset($hiddenfields['skypeid'])) { $imurl = 'skype:'.urlencode($user->skype).'?call'; - $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.$user->skype); + $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.urlencode($user->skype)); if (strpos($CFG->httpswwwroot, 'https:') === 0) { // Bad luck, skype devs are lazy to set up SSL on their servers - see MDL-37233. $statusicon = '';
f7b6562f20f6MDL-45683 user: Escaping Skype ID used in profile
1 file changed · +1 −1
user/profile.php+1 −1 modified@@ -314,7 +314,7 @@ if ($user->skype && !isset($hiddenfields['skypeid'])) { $imurl = 'skype:'.urlencode($user->skype).'?call'; - $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.$user->skype); + $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.urlencode($user->skype)); if (strpos($CFG->httpswwwroot, 'https:') === 0) { // Bad luck, skype devs are lazy to set up SSL on their servers - see MDL-37233. $statusicon = '';
ce5a785b0962MDL-45683 user: Escaping Skype ID used in profile
1 file changed · +1 −1
user/profile.php+1 −1 modified@@ -334,7 +334,7 @@ if ($user->skype && !isset($hiddenfields['skypeid'])) { $imurl = 'skype:'.urlencode($user->skype).'?call'; - $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.$user->skype); + $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.urlencode($user->skype)); if (strpos($CFG->httpswwwroot, 'https:') === 0) { // Bad luck, skype devs are lazy to set up SSL on their servers - see MDL-37233. $statusicon = '';
739d227c5888MDL-45683 user: Escaping Skype ID used in profile
1 file changed · +1 −1
user/profile.php+1 −1 modified@@ -324,7 +324,7 @@ if ($user->skype && !isset($hiddenfields['skypeid'])) { $imurl = 'skype:'.urlencode($user->skype).'?call'; - $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.$user->skype); + $iconurl = new moodle_url('http://mystatus.skype.com/smallicon/'.urlencode($user->skype)); if (strpos($CFG->httpswwwroot, 'https:') === 0) { // Bad luck, skype devs are lazy to set up SSL on their servers - see MDL-37233. $statusicon = '';
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/moodle/moodle/commit/ce5a785b0962c3c94c7a7b0d36176482d21db95dnvdPatchWEB
- osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss/nvdExploit
- packetstormsecurity.com/files/127624/Moodle-2.7-Cross-Site-Scripting.htmlnvdExploitWEB
- github.com/advisories/GHSA-c9jp-244j-vh78ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-3544ghsaADVISORY
- openwall.com/lists/oss-security/2014/07/21/1nvdWEB
- osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xssghsaWEB
- osvdb.org/show/osvdb/109337nvdWEB
- www.exploit-db.com/exploits/34169nvdWEB
- www.securityfocus.com/bid/68756nvdWEB
- github.com/moodle/moodle/commit/0207466e778baebff21c7b72bc688761f9c5b0d9ghsaWEB
- github.com/moodle/moodle/commit/739d227c58886e9a1be1426ed66053f1d37ee9a9ghsaWEB
- github.com/moodle/moodle/commit/f7b6562f20f6af4119c7775477cffbaa83229f74ghsaWEB
News mentions
0No linked articles in our index yet.