Low severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026
CVE-2015-3174
CVE-2015-3174
Description
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.6.11 | 2.6.11 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.8 | 2.7.8 |
moodle/moodlePackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
Affected products
35cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
Patches
4e51fdfe0cbabMDL-49941 quiz: mod/quiz:grade should declare RISK_XSS
1 file changed · +1 −1
mod/quiz/db/access.php+1 −1 modified@@ -108,7 +108,7 @@ // Manually grade and comment on student attempts at a question. 'mod/quiz:grade' => array( - 'riskbitmask' => RISK_SPAM, + 'riskbitmask' => RISK_SPAM | RISK_XSS, 'captype' => 'write', 'contextlevel' => CONTEXT_MODULE, 'archetypes' => array(
10c2b9244887MDL-49941 quiz: mod/quiz:grade should declare RISK_XSS
1 file changed · +1 −1
mod/quiz/db/access.php+1 −1 modified@@ -108,7 +108,7 @@ // Manually grade and comment on student attempts at a question. 'mod/quiz:grade' => array( - 'riskbitmask' => RISK_SPAM, + 'riskbitmask' => RISK_SPAM | RISK_XSS, 'captype' => 'write', 'contextlevel' => CONTEXT_MODULE, 'archetypes' => array(
39ae18a2f90fMDL-49941 quiz: mod/quiz:grade should declare RISK_XSS
1 file changed · +1 −1
mod/quiz/db/access.php+1 −1 modified@@ -108,7 +108,7 @@ // Manually grade and comment on student attempts at a question. 'mod/quiz:grade' => array( - 'riskbitmask' => RISK_SPAM, + 'riskbitmask' => RISK_SPAM | RISK_XSS, 'captype' => 'write', 'contextlevel' => CONTEXT_MODULE, 'archetypes' => array(
1ce4f44df7e7MDL-49941 quiz: mod/quiz:grade should declare RISK_XSS
1 file changed · +1 −1
mod/quiz/db/access.php+1 −1 modified@@ -108,7 +108,7 @@ // Manually grade and comment on student attempts at a question. 'mod/quiz:grade' => array( - 'riskbitmask' => RISK_SPAM, + 'riskbitmask' => RISK_SPAM | RISK_XSS, 'captype' => 'write', 'contextlevel' => CONTEXT_MODULE, 'archetypes' => array(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-6r7x-6q98-qcqpghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-3174ghsaADVISORY
- openwall.com/lists/oss-security/2015/05/18/1nvdWEB
- www.securityfocus.com/bid/74719https://web.archive.org/web/20200228054910/http://www.securityfocus.com/bid/74719ghsaWEB
- github.com/moodle/moodle/commit/10c2b92448873a8479942098a090e7c16b44438dghsaWEB
- github.com/moodle/moodle/commit/1ce4f44df7e793051211841b6a78ac77bd42fc99ghsaWEB
- github.com/moodle/moodle/commit/39ae18a2f90fcf392a711dd41f9aa7627f72a762ghsaWEB
- github.com/moodle/moodle/commit/e51fdfe0cbab19320f139773d83aacb1ad15eb46ghsaWEB
- web.archive.org/web/20201030042703/http://www.securitytracker.com/id/1032358ghsaWEB
- www.securityfocus.com/bid/74719nvd
- www.securitytracker.com/id/1032358nvd
News mentions
0No linked articles in our index yet.