Low severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-0216

Description

access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
moodle/moodlePackagist	>= 2.8.0, < 2.8.2	2.8.2

Affected products

Moodle/Moodle2 versions
cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*

Patches

c80603ddc4ba

MDL-48034 mod_lesson: grade capability missing RISK_XSS

https://github.com/moodle/moodleJean-Michel VedrineJan 4, 2015via ghsa

commit

2 files changed · +2 −2

mod/lesson/db/access.php+1 −1 modified

@@ -54,7 +54,7 @@
 
     // Grade essay questions.
     'mod/lesson:grade' => array(
-        'riskbitmask' => RISK_SPAM,
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'archetypes' => array(

mod/lesson/version.php+1 −1 modified

@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2014111001;       // The current module version (Date: YYYYMMDDXX)
+$plugin->version   = 2014111002;       // The current module version (Date: YYYYMMDDXX)
 $plugin->requires  = 2014110400;    // Requires this Moodle version
 $plugin->component = 'mod_lesson'; // Full name of the plugin (used for diagnostics)
 $plugin->cron      = 0;

b9c86823c70a

MDL-48034 mod_lesson: grade capability missing RISK_XSS

https://github.com/moodle/moodleJean-Michel VedrineJan 4, 2015via ghsa

commit

2 files changed · +2 −2

mod/lesson/db/access.php+1 −1 modified

@@ -54,7 +54,7 @@
 
     // Grade essay questions.
     'mod/lesson:grade' => array(
-        'riskbitmask' => RISK_SPAM,
+        'riskbitmask' => RISK_SPAM | RISK_XSS,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'archetypes' => array(

mod/lesson/version.php+1 −1 modified

@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2014122900;       // The current module version (Date: YYYYMMDDXX)
+$plugin->version   = 2015010600;       // The current module version (Date: YYYYMMDDXX)
 $plugin->requires  = 2014110400;    // Requires this Moodle version
 $plugin->component = 'mod_lesson'; // Full name of the plugin (used for diagnostics)
 $plugin->cron      = 0;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2jcw-r79x-4r5vghsaADVISORY
moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-0216ghsaADVISORY
openwall.com/lists/oss-security/2015/01/19/1nvdWEB
github.com/moodle/moodle/commit/b9c86823c70a1cba20bca1c4b5b032ee1559e22dghsaWEB
github.com/moodle/moodle/commit/c80603ddc4ba4e7d85ea2b79f644a4a041cee137ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000