VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Feb 22, 2016· Updated May 6, 2026

CVE-2015-5336

CVE-2015-5336

Description

Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle survey module allowed authenticated students to inject arbitrary web script via crafted survey answers, affecting multiple versions.

Vulnerability

The survey module in Moodle contains multiple cross-site scripting (XSS) vulnerabilities. The bug is present in the output rendering of user-supplied survey answer text, where values passed to $answertext, $answer1, and $answer2 are not properly sanitized before being displayed. An attacker with a student role can craft survey answers containing malicious HTML or JavaScript. Affected versions include Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 [1][3][4]. The fix introduced the s() function (which calls htmlspecialchars()) on the answer variables [3][4].

Exploitation

An attacker must be a remotely authenticated user with the student role in a Moodle course. The attacker submits a survey with a crafted answer containing arbitrary JavaScript or HTML in the answer text field. When the teacher or other user views the survey results (e.g., via report.php or survey_user_complete()), the malicious script executes in the context of the viewer's browser. No additional privileges beyond student role are required [1][3][4].

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML, leading to potential information disclosure, session hijacking, or other client-side attacks against users viewing the survey results. The attack is stored XSS, as the payload is persisted within the Moodle database and triggered whenever the affected report page is loaded [1].

Mitigation

The vulnerability is fixed in Moodle versions 2.7.11, 2.8.9, 2.9.3, and later releases [1]. Administrators should upgrade to a patched version immediately. There is no known workaround provided in the available references. The fix commits apply the s() output escaping function to the answer variables in mod/survey/lib.php [3][4].

References
  1. NVD - CVE-2015-5336
  2. MDL-49940 mod_survey: Fix XSS on survey module · moodle/moodle@31d0bf8
  3. MDL-49940 mod_survey: Fix XSS on survey module · moodle/moodle@b4f4232

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 2.7.112.7.11
moodle/moodlePackagist
>= 2.8.0, < 2.8.92.8.9
moodle/moodlePackagist
>= 2.9.0, < 2.9.32.9.3

Affected products

26
  • Moodle/Moodle25 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 24 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.6.11
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*
    • (no CPE)range: <=2.6.11, <2.7.11, <2.8.9, <2.9.3
  • ghsa-coords
    pkg:composer/moodle/moodle
    Range: < 2.7.11

Patches

7
31d0bf81af07

MDL-49940 mod_survey: Fix XSS on survey module

https://github.com/moodle/moodleSimey LamezeSep 24, 2015via ghsa
commit
2 files changed · +2 2
  • mod/survey/lib.php+1 1 modified
    @@ -189,7 +189,7 @@ function survey_user_complete($course, $user, $mod, $survey) {
                 } else {
                     $answertext = "No answer";
                 }
-                $table->data[] = array("<b>$questiontext</b>", $answertext);
+                $table->data[] = array("<b>$questiontext</b>", s($answertext));
             }
             echo html_writer::table($table);
  • mod/survey/report.php+1 1 modified
    @@ -356,7 +356,7 @@
                        $OUTPUT->user_picture($a, array('courseid'=>$course->id)),
                        "<a href=\"report.php?id=$id&amp;action=student&amp;student=$a->userid\">".fullname($a)."</a>",
                        userdate($a->time),
-                       $answer1, $answer2);
+                       s($answer1), s($answer2));
 
             }
         }
12c232df7688

MDL-49940 mod_survey: Fix XSS on survey module

https://github.com/moodle/moodleSimey LamezeSep 24, 2015via ghsa
commit
2 files changed · +2 2
  • mod/survey/lib.php+1 1 modified
    @@ -189,7 +189,7 @@ function survey_user_complete($course, $user, $mod, $survey) {
                 } else {
                     $answertext = "No answer";
                 }
-                $table->data[] = array("<b>$questiontext</b>", $answertext);
+                $table->data[] = array("<b>$questiontext</b>", s($answertext));
             }
             echo html_writer::table($table);
  • mod/survey/report.php+1 1 modified
    @@ -358,7 +358,7 @@
                        $OUTPUT->user_picture($a, array('courseid'=>$course->id)),
                        "<a href=\"report.php?id=$id&amp;action=student&amp;student=$a->userid\">".fullname($a)."</a>",
                        userdate($a->time),
-                       $answer1, $answer2);
+                       s($answer1), s($answer2));
 
             }
         }
fd14d2902fab

MDL-49940 mod_survey: Fix XSS on survey module

https://github.com/moodle/moodleSimey LamezeSep 24, 2015via ghsa
commit
2 files changed · +2 2
  • mod/survey/lib.php+1 1 modified
    @@ -189,7 +189,7 @@ function survey_user_complete($course, $user, $mod, $survey) {
                 } else {
                     $answertext = "No answer";
                 }
-                $table->data[] = array("<b>$questiontext</b>", $answertext);
+                $table->data[] = array("<b>$questiontext</b>", s($answertext));
             }
             echo html_writer::table($table);
  • mod/survey/report.php+1 1 modified
    @@ -358,7 +358,7 @@
                        $OUTPUT->user_picture($a, array('courseid'=>$course->id)),
                        "<a href=\"report.php?id=$id&amp;action=student&amp;student=$a->userid\">".fullname($a)."</a>",
                        userdate($a->time),
-                       $answer1, $answer2);
+                       s($answer1), s($answer2));
 
             }
         }
b4f4232e1cf7

MDL-49940 mod_survey: Fix XSS on survey module

https://github.com/moodle/moodleSimey LamezeSep 24, 2015via ghsa
commit
2 files changed · +2 2
  • mod/survey/lib.php+1 1 modified
    @@ -189,7 +189,7 @@ function survey_user_complete($course, $user, $mod, $survey) {
                 } else {
                     $answertext = "No answer";
                 }
-                $table->data[] = array("<b>$questiontext</b>", $answertext);
+                $table->data[] = array("<b>$questiontext</b>", s($answertext));
             }
             echo html_writer::table($table);
  • mod/survey/report.php+1 1 modified
    @@ -358,7 +358,7 @@
                        $OUTPUT->user_picture($a, array('courseid'=>$course->id)),
                        "<a href=\"report.php?id=$id&amp;action=student&amp;student=$a->userid\">".fullname($a)."</a>",
                        userdate($a->time),
-                       $answer1, $answer2);
+                       s($answer1), s($answer2));
 
             }
         }
f03ec4ce85b3

MDL-49940 mod_survey: Escape user comments

https://github.com/moodle/moodleHugh DavenportSep 24, 2015via ghsa
commit
1 file changed · +1 1
  • mod/survey/report.php+1 1 modified
    @@ -303,7 +303,7 @@
                         foreach ($aaa as $a) {
                             $contents .= "<tr>";
                             $contents .= '<td class="fullnamecell">'.fullname($a).'</td>';
-                            $contents .= '<td valign="top">'.$a->answer1.'</td>';
+                            $contents .= '<td valign="top">'.s($a->answer1).'</td>';
                             $contents .= "</tr>";
                         }
                     }
48d8989f13a6

MDL-49940 mod_survey: Escape user comments

https://github.com/moodle/moodleHugh DavenportSep 24, 2015via ghsa
commit
1 file changed · +1 1
  • mod/survey/report.php+1 1 modified
    @@ -303,7 +303,7 @@
                         foreach ($aaa as $a) {
                             $contents .= "<tr>";
                             $contents .= '<td class="fullnamecell">'.fullname($a).'</td>';
-                            $contents .= '<td valign="top">'.$a->answer1.'</td>';
+                            $contents .= '<td valign="top">'.s($a->answer1).'</td>';
                             $contents .= "</tr>";
                         }
                     }
86cec86942c1

MDL-49940 mod_survey: Escape user comments

https://github.com/moodle/moodleHugh DavenportSep 24, 2015via ghsa
commit
1 file changed · +1 1
  • mod/survey/report.php+1 1 modified
    @@ -303,7 +303,7 @@
                         foreach ($aaa as $a) {
                             $contents .= "<tr>";
                             $contents .= '<td class="fullnamecell">'.fullname($a).'</td>';
-                            $contents .= '<td valign="top">'.$a->answer1.'</td>';
+                            $contents .= '<td valign="top">'.s($a->answer1).'</td>';
                             $contents .= "</tr>";
                         }
                     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.