VYPR
← All advisories
Low severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026

CVE-2015-2273

CVE-2015-2273

Description

Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 2.6.92.6.9
moodle/moodlePackagist
>= 2.7.0, < 2.7.62.7.6
moodle/moodlePackagist
>= 2.8.0, < 2.8.42.8.4

Affected products

29
  • Moodle/Moodle29 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 28 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
    • cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*

Patches

4
71aeb8a9cb4c

MDL-49364 quiz statistics: escape output in the response analysis

https://github.com/moodle/moodleTim HuntMar 3, 2015via ghsa
commit
1 file changed · +17 0
  • mod/quiz/report/statistics/statistics_question_table.php+17 0 modified
    @@ -142,4 +142,21 @@ protected function col_frequency($response) {
 
         return $this->format_percentage($response->count / $this->s);
     }
+
+    /**
+     * If there is not a col_{column name} method then we call this method. If it returns null
+     * that means just output the property as in the table raw data. If this returns none null
+     * then this is the output for this cell of the table.
+     *
+     * @param string $colname  The name of this column.
+     * @param object $response The raw data for this row.
+     * @return string|null The value for this cell of the table or null means use raw data.
+     */
+    public function other_cols($colname, $response) {
+        if ($colname == 'part' || $colname == 'responseclass' || $colname == 'response') {
+            return s($response->$colname);
+        } else {
+            return null;
+        }
+    }
 }
ceab40d186e2

MDL-49364 quiz statistics: escape output in the response analysis

https://github.com/moodle/moodleTim HuntMar 3, 2015via ghsa
commit
1 file changed · +2 0
  • mod/quiz/report/statistics/statistics_question_table.php+2 0 modified
    @@ -177,6 +177,8 @@ public function other_cols($colname, $response) {
             } else {
                 return 0;
             }
+        } else if ($colname == 'part' || $colname == 'responseclass' || $colname == 'response') {
+            return s($response->$colname);
         } else {
             return null;
         }
f1fb96b69887

MDL-49364 quiz statistics: escape output in the response analysis

https://github.com/moodle/moodleTim HuntMar 3, 2015via ghsa
commit
1 file changed · +2 0
  • mod/quiz/report/statistics/statistics_question_table.php+2 0 modified
    @@ -177,6 +177,8 @@ public function other_cols($colname, $response) {
             } else {
                 return 0;
             }
+        } else if ($colname == 'part' || $colname == 'responseclass' || $colname == 'response') {
+            return s($response->$colname);
         } else {
             return null;
         }
8b6fcfa95820

MDL-49364 quiz statistics: escape output in the response analysis

https://github.com/moodle/moodleTim HuntMar 3, 2015via ghsa
commit
1 file changed · +2 0
  • mod/quiz/report/statistics/statistics_question_table.php+2 0 modified
    @@ -177,6 +177,8 @@ public function other_cols($colname, $response) {
             } else {
                 return 0;
             }
+        } else if ($colname == 'part' || $colname == 'responseclass' || $colname == 'response') {
+            return s($response->$colname);
         } else {
             return null;
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.