Moderate severityNVD Advisory· Published Nov 24, 2014· Updated May 6, 2026
CVE-2014-9059
CVE-2014-9059
Description
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.5.9 | 2.5.9 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.3 | 2.7.3 |
Affected products
19cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.4.11
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
Patches
40a0145c5e804MDL-47966 Add default content type and encoding
1 file changed · +18 −0
lib/setup.php+18 −0 modified@@ -805,6 +805,24 @@ function stripslashes_deep($value) { } \core\session\manager::start(); +// Set default content type and encoding, developers are still required to use +// echo $OUTPUT->header() everywhere, anything that gets set later should override these headers. +// This is intended to mitigate some security problems. +if (AJAX_SCRIPT) { + if (!core_useragent::supports_json_contenttype()) { + // Some bloody old IE. + @header('Content-type: text/plain; charset=utf-8'); + @header('X-Content-Type-Options: nosniff'); + } else if (!empty($_FILES)) { + // Some ajax code may have problems with json and file uploads. + @header('Content-type: text/plain; charset=utf-8'); + } else { + @header('Content-type: application/json; charset=utf-8'); + } +} else if (!CLI_SCRIPT) { + @header('Content-type: text/html; charset=utf-8'); +} + // Initialise some variables that are supposed to be set in config.php only. if (!isset($CFG->filelifetime)) { $CFG->filelifetime = 60*60*6;
293e4bbcb71fMDL-47966 Add default content type and encoding
1 file changed · +21 −0
lib/setup.php+21 −0 modified@@ -798,6 +798,27 @@ function stripslashes_deep($value) { $SESSION = &$_SESSION['SESSION']; $USER = &$_SESSION['USER']; +// Set default content type and encoding, developers are still required to use +// echo $OUTPUT->header() everywhere, anything that gets set later should override these headers. +// This is intended to mitigate some security problems. +if (AJAX_SCRIPT) { + $supportsjsoncontenttype = !check_browser_version('MSIE') || + (check_browser_version('MSIE', 8) && + !(preg_match("/MSIE 7.0/", $_SERVER['HTTP_USER_AGENT']) && preg_match("/Trident\/([0-9\.]+)/", $_SERVER['HTTP_USER_AGENT']))); + if (!$supportsjsoncontenttype) { + // Some bloody old IE. + @header('Content-type: text/plain; charset=utf-8'); + @header('X-Content-Type-Options: nosniff'); + } else if (!empty($_FILES)) { + // Some ajax code may have problems with json and file uploads. + @header('Content-type: text/plain; charset=utf-8'); + } else { + @header('Content-type: application/json; charset=utf-8'); + } +} else if (!CLI_SCRIPT) { + @header('Content-type: text/html; charset=utf-8'); +} + // Late profiling, only happening if early one wasn't started if (!empty($CFG->profilingenabled)) { require_once($CFG->libdir . '/xhprof/xhprof_moodle.php');
3c98b7a5ad1bMDL-47966 Add default content type and encoding
1 file changed · +18 −0
lib/setup.php+18 −0 modified@@ -772,6 +772,24 @@ } \core\session\manager::start(); +// Set default content type and encoding, developers are still required to use +// echo $OUTPUT->header() everywhere, anything that gets set later should override these headers. +// This is intended to mitigate some security problems. +if (AJAX_SCRIPT) { + if (!core_useragent::supports_json_contenttype()) { + // Some bloody old IE. + @header('Content-type: text/plain; charset=utf-8'); + @header('X-Content-Type-Options: nosniff'); + } else if (!empty($_FILES)) { + // Some ajax code may have problems with json and file uploads. + @header('Content-type: text/plain; charset=utf-8'); + } else { + @header('Content-type: application/json; charset=utf-8'); + } +} else if (!CLI_SCRIPT) { + @header('Content-type: text/html; charset=utf-8'); +} + // Initialise some variables that are supposed to be set in config.php only. if (!isset($CFG->filelifetime)) { $CFG->filelifetime = 60*60*6;
ac6e453d1102MDL-47966 Add default content type and encoding
1 file changed · +18 −0
lib/setup.php+18 −0 modified@@ -774,6 +774,24 @@ } \core\session\manager::start(); +// Set default content type and encoding, developers are still required to use +// echo $OUTPUT->header() everywhere, anything that gets set later should override these headers. +// This is intended to mitigate some security problems. +if (AJAX_SCRIPT) { + if (!core_useragent::supports_json_contenttype()) { + // Some bloody old IE. + @header('Content-type: text/plain; charset=utf-8'); + @header('X-Content-Type-Options: nosniff'); + } else if (!empty($_FILES)) { + // Some ajax code may have problems with json and file uploads. + @header('Content-type: text/plain; charset=utf-8'); + } else { + @header('Content-type: application/json; charset=utf-8'); + } +} else if (!CLI_SCRIPT) { + @header('Content-type: text/html; charset=utf-8'); +} + // Initialise some variables that are supposed to be set in config.php only. if (!isset($CFG->filelifetime)) { $CFG->filelifetime = 60*60*6;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-crcq-pw8h-9xwfghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-9059ghsaADVISORY
- www.securitytracker.com/id/1031215nvdWEB
- github.com/moodle/moodle/commit/0a0145c5e8041aadeff303a9f9984c86706b4e42ghsaWEB
- github.com/moodle/moodle/commit/293e4bbcb71f0a801c2539ea051c58688314b23aghsaWEB
- github.com/moodle/moodle/commit/3c98b7a5ad1bb596a738e550fc3bf966d6415fe0ghsaWEB
- github.com/moodle/moodle/commit/ac6e453d11024bf6ad99ada1bfc641c6b91ebed6ghsaWEB
- web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215ghsaWEB
- web.archive.org/web/20200229043651/http://www.securityfocus.com/bid/71133ghsaWEB
- openwall.com/lists/oss-security/2014/11/17/11nvd
- www.securityfocus.com/bid/71133nvd
News mentions
0No linked articles in our index yet.