Low severityNVD Advisory· Published Nov 24, 2014· Updated May 6, 2026
CVE-2014-7830
CVE-2014-7830
Description
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.5.9 | 2.5.9 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.3 | 2.7.3 |
Affected products
19cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.4.11
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
Patches
47bb6b84cfd30MDL-47865 mod_feedback - XSS through $searchstring in mod/feedback/mapcourse.php
1 file changed · +2 −2
mod/feedback/mapcourse.php+2 −2 modified@@ -111,11 +111,11 @@ 'value="'.get_string('searchagain').'" '. 'onclick="document.location=\'mapcourse.php?id='.$id.'\'"/>'; - echo '<input type="hidden" name="searchcourse" value="'.$searchcourse.'"/>'; + echo '<input type="hidden" name="searchcourse" value="'.s($searchcourse).'"/>'; echo '<input type="hidden" name="feedbackid" value="'.$feedback->id.'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); } else { - echo '<input type="text" name="searchcourse" value="'.$searchcourse.'"/> '; + echo '<input type="text" name="searchcourse" value="'.s($searchcourse).'"/> '; echo '<input type="submit" value="'.get_string('searchcourses').'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); }
8bf49b737743MDL-47865 mod_feedback - XSS through $searchstring in mod/feedback/mapcourse.php
1 file changed · +2 −2
mod/feedback/mapcourse.php+2 −2 modified@@ -112,11 +112,11 @@ 'value="'.get_string('searchagain').'" '. 'onclick="document.location=\'mapcourse.php?id='.$id.'\'"/>'; - echo '<input type="hidden" name="searchcourse" value="'.$searchcourse.'"/>'; + echo '<input type="hidden" name="searchcourse" value="'.s($searchcourse).'"/>'; echo '<input type="hidden" name="feedbackid" value="'.$feedback->id.'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); } else { - echo '<input type="text" name="searchcourse" value="'.$searchcourse.'"/> '; + echo '<input type="text" name="searchcourse" value="'.s($searchcourse).'"/> '; echo '<input type="submit" value="'.get_string('searchcourses').'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); }
b7f75a9c05c6MDL-47865 mod_feedback - XSS through $searchstring in mod/feedback/mapcourse.php
1 file changed · +2 −2
mod/feedback/mapcourse.php+2 −2 modified@@ -112,11 +112,11 @@ 'value="'.get_string('searchagain').'" '. 'onclick="document.location=\'mapcourse.php?id='.$id.'\'"/>'; - echo '<input type="hidden" name="searchcourse" value="'.$searchcourse.'"/>'; + echo '<input type="hidden" name="searchcourse" value="'.s($searchcourse).'"/>'; echo '<input type="hidden" name="feedbackid" value="'.$feedback->id.'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); } else { - echo '<input type="text" name="searchcourse" value="'.$searchcourse.'"/> '; + echo '<input type="text" name="searchcourse" value="'.s($searchcourse).'"/> '; echo '<input type="submit" value="'.get_string('searchcourses').'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); }
c6b6e5decee4MDL-47865 mod_feedback - XSS through $searchstring in mod/feedback/mapcourse.php
1 file changed · +2 −2
mod/feedback/mapcourse.php+2 −2 modified@@ -112,11 +112,11 @@ 'value="'.get_string('searchagain').'" '. 'onclick="document.location=\'mapcourse.php?id='.$id.'\'"/>'; - echo '<input type="hidden" name="searchcourse" value="'.$searchcourse.'"/>'; + echo '<input type="hidden" name="searchcourse" value="'.s($searchcourse).'"/>'; echo '<input type="hidden" name="feedbackid" value="'.$feedback->id.'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); } else { - echo '<input type="text" name="searchcourse" value="'.$searchcourse.'"/> '; + echo '<input type="text" name="searchcourse" value="'.s($searchcourse).'"/> '; echo '<input type="submit" value="'.get_string('searchcourses').'"/>'; echo $OUTPUT->help_icon('searchcourses', 'feedback'); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-j4mr-vc54-h5pcghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-7830ghsaADVISORY
- openwall.com/lists/oss-security/2014/11/17/11nvdWEB
- www.securitytracker.com/id/1031215nvdWEB
- github.com/moodle/moodle/commit/7bb6b84cfd308bad89dc0c3f95ad2fa55b7d25f8ghsaWEB
- github.com/moodle/moodle/commit/8bf49b7377438a7f259750e2f076c612c0a5d84eghsaWEB
- github.com/moodle/moodle/commit/b7f75a9c05c65fb1d2f6391f5dd852f9e923a183ghsaWEB
- github.com/moodle/moodle/commit/c6b6e5decee4c452b8667f82d7c64f137b687d7cghsaWEB
- web.archive.org/web/20200228175348/http://www.securityfocus.com/bid/71119ghsaWEB
- www.securityfocus.com/bid/71119nvd
News mentions
0No linked articles in our index yet.