CVE-2015-5337

moderate-risk

Published 2016-02-22

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Moodle

Affected Vendors

Moodle

References (4)

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085

Vendor Advisory https://moodle.org/mod/forum/discuss.php?d=323232

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085

Vendor Advisory https://moodle.org/mod/forum/discuss.php?d=323232

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 21/34 · High