CVE-2014-7835

🗓️ 24 Nov 2014 11:00:00Reported by redhatType

cve🔗 web.nvd.nist.gov👁 39 Views🌐 WEB

Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows authenticated users to conduct XSS attacks via webservice/upload.php

Reporter	Title	Published	Views	Family All 12
Tenable Nessus	Moodle 2.6.x < 2.6.6 / 2.7.x < 2.7.3 Multiple Vulnerabilities	20 Apr 201500:00	–	nessus
Cvelist	CVE-2014-7835	24 Nov 201411:00	–	cvelist
EUVD	EUVD-2022-5418	3 Oct 202520:07	–	euvd
Github Security Blog	Moodle allows attackers to upload files containing JavaScript	13 May 202201:12	–	github
Mageia	Updated moodle package fixes security vulnerabilities	22 Nov 201410:54	–	mageia
NVD	CVE-2014-7835	24 Nov 201411:59	–	nvd
OpenVAS	Mageia: Security Advisory (MGASA-2014-0483)	28 Jan 202200:00	–	openvas
OSV	GHSA-VRF6-Q7QJ-69V5 Moodle allows attackers to upload files containing JavaScript	13 May 202201:12	–	osv
OSV	MGASA-2014-0483 Updated moodle package fixes security vulnerabilities	22 Nov 201410:54	–	osv
Prion	Cross site scripting	24 Nov 201411:59	–	prion

NVD

Node

moodle moodleRange≤2.4.11

Source	Link
moodle	www.moodle.org/mod/forum/discuss.php
git	www.git.moodle.org/gw
openwall	www.openwall.com/lists/oss-security/2014/11/17/11
securitytracker	www.securitytracker.com/id/1031215

Parameter	Position	Path	Description	CWE
area	path	webservice/upload.php	Moodle webservice/upload.php allows file upload to profile-picture area without restricting to private/draft area, enabling uploaded JavaScript for XSS by remote authenticated users.	CWE-79

06 May 2026 22:30Current

5.4Medium risk

Vulners AI Score5.4

CVSS 22.1

EPSS0.0018