VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Feb 22, 2016· Updated May 6, 2026

CVE-2015-5269

CVE-2015-5269

Description

Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Moodle group/overview.php allows authenticated users to inject arbitrary web script via a modified grouping description.

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) in group/overview.php in Moodle. It affects versions through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2. Remote authenticated users can inject arbitrary web script or HTML via a modified grouping description. [1][2]

Exploitation

An attacker must be an authenticated user with the ability to modify grouping descriptions. The attacker crafts a malicious grouping description containing JavaScript or HTML. When other users view the group overview page, the injected script executes in their browser. No special privileges beyond being a user with group editing rights are required. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary web script in the context of the victim's session. This can lead to data theft, session hijacking, or defacement. The impact is limited to the browser of users viewing the affected page. [1][2]

Mitigation

The vulnerability is fixed in Moodle versions 2.7.10, 2.8.8, and 2.9.2. Users should upgrade to these versions or later. For unsupported versions (2.6.x and earlier), no fix is available; upgrading to a supported version is recommended. [1][3]

References
  1. Moodle Multiple Flaws Let Remote Users Guess Password Recovery Tokens and Remote Authenticated Users Access Data, Delete Files, and Conduct Cross-Site Scripting Attacks
  2. NVD - CVE-2015-5269
  3. security - Moodle security release

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 2.7.102.7.10
moodle/moodlePackagist
>= 2.8.0, < 2.8.82.8.8
moodle/moodlePackagist
>= 2.9.0, < 2.9.22.9.2

Affected products

23
  • Moodle/Moodle22 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
    • (no CPE)range: <=2.6.11, <2.7.10, <2.8.8, <2.9.2
  • ghsa-coords
    pkg:composer/moodle/moodle
    Range: < 2.7.10

Patches

4
45f3b5302d64

MDL-50709 groups: Prevent XSS in grouping description

https://github.com/moodle/moodleJohn OkelyJul 28, 2015via ghsa
commit
1 file changed · +0 1
  • group/overview.php+0 1 modified
    @@ -206,7 +206,6 @@
         echo $OUTPUT->heading($groupings[$gpgid]->formattedname, 3);
         $description = file_rewrite_pluginfile_urls($groupings[$gpgid]->description, 'pluginfile.php', $context->id, 'grouping', 'description', $gpgid);
         $options = new stdClass;
-        $options->noclean = true;
         $options->overflowdiv = true;
         echo $OUTPUT->box(format_text($description, $groupings[$gpgid]->descriptionformat, $options), 'generalbox boxwidthnarrow boxaligncenter');
     }
a44fed5c804b

MDL-50709 groups: Prevent XSS in grouping description

https://github.com/moodle/moodleJohn OkelyJul 28, 2015via ghsa
commit
1 file changed · +0 1
  • group/overview.php+0 1 modified
    @@ -206,7 +206,6 @@
         echo $OUTPUT->heading($groupings[$gpgid]->formattedname, 3);
         $description = file_rewrite_pluginfile_urls($groupings[$gpgid]->description, 'pluginfile.php', $context->id, 'grouping', 'description', $gpgid);
         $options = new stdClass;
-        $options->noclean = true;
         $options->overflowdiv = true;
         echo $OUTPUT->box(format_text($description, $groupings[$gpgid]->descriptionformat, $options), 'generalbox boxwidthnarrow boxaligncenter');
     }
fa5a3cdedcd9

MDL-50709 groups: Prevent XSS in grouping description

https://github.com/moodle/moodleJohn OkelyJul 28, 2015via ghsa
commit
1 file changed · +0 1
  • group/overview.php+0 1 modified
    @@ -206,7 +206,6 @@
         echo $OUTPUT->heading($groupings[$gpgid]->formattedname, 3);
         $description = file_rewrite_pluginfile_urls($groupings[$gpgid]->description, 'pluginfile.php', $context->id, 'grouping', 'description', $gpgid);
         $options = new stdClass;
-        $options->noclean = true;
         $options->overflowdiv = true;
         echo $OUTPUT->box(format_text($description, $groupings[$gpgid]->descriptionformat, $options), 'generalbox boxwidthnarrow boxaligncenter');
     }
ae6b18a93430

MDL-50709 groups: Prevent XSS in grouping description

https://github.com/moodle/moodleJohn OkelyJul 28, 2015via ghsa
commit
1 file changed · +0 1
  • group/overview.php+0 1 modified
    @@ -206,7 +206,6 @@
         echo $OUTPUT->heading($groupings[$gpgid]->formattedname, 3);
         $description = file_rewrite_pluginfile_urls($groupings[$gpgid]->description, 'pluginfile.php', $context->id, 'grouping', 'description', $gpgid);
         $options = new stdClass;
-        $options->noclean = true;
         $options->overflowdiv = true;
         echo $OUTPUT->box(format_text($description, $groupings[$gpgid]->descriptionformat, $options), 'generalbox boxwidthnarrow boxaligncenter');
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.