Low severityNVD Advisory· Published Nov 24, 2014· Updated May 6, 2026

CVE-2014-7835

Description

webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	>= 2.6.0, < 2.6.6	2.6.6
moodle/moodlePackagist	>= 2.7.0, < 2.7.3	2.7.3

Affected products

Moodle/Moodle19 versions
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.4.11
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*

Patches

2f87351d5480

MDL-47868 ws: verify upload areas

https://github.com/moodle/moodlePetr SkodaNov 3, 2014via ghsa

commit

1 file changed · +5 −0

webservice/upload.php+5 −0 modified

@@ -68,6 +68,11 @@
 $context = context_user::instance($USER->id);
 require_capability('moodle/user:manageownfiles', $context);
 
+if ($filearea !== 'private' and $filearea !== 'draft') {
+    // Do not dare to allow more areas here!
+    throw new file_exception('error');
+}
+
 $fs = get_file_storage();
 
 $totalsize = 0;

ea1fbc002855

MDL-47868 ws: verify upload areas

https://github.com/moodle/moodlePetr SkodaNov 3, 2014via ghsa

commit

1 file changed · +5 −0

webservice/upload.php+5 −0 modified

@@ -68,6 +68,11 @@
 $context = context_user::instance($USER->id);
 require_capability('moodle/user:manageownfiles', $context);
 
+if ($filearea !== 'private' and $filearea !== 'draft') {
+    // Do not dare to allow more areas here!
+    throw new file_exception('error');
+}
+
 $fs = get_file_storage();
 
 $totalsize = 0;

76ae1f6068f6

MDL-47868 ws: verify upload areas

https://github.com/moodle/moodlePetr SkodaNov 3, 2014via ghsa

commit

1 file changed · +5 −0

webservice/upload.php+5 −0 modified

@@ -68,6 +68,11 @@
 $context = context_user::instance($USER->id);
 require_capability('moodle/user:manageownfiles', $context);
 
+if ($filearea !== 'private' and $filearea !== 'draft') {
+    // Do not dare to allow more areas here!
+    throw new file_exception('error');
+}
+
 $fs = get_file_storage();
 
 $totalsize = 0;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000