Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
openwall.com/lists/oss-security/2015/05/18/1
github.com/moodle/moodle
github.com/moodle/moodle/commit/28947c1d7d9c53781989b9da7ceb2cafdd144749
github.com/moodle/moodle/commit/2c7d13dba37aa0c850c62037b951efd6dc1b0f78
github.com/moodle/moodle/commit/77067fbb3a248ac2f1fa4b3c20e5b81f768940e5
github.com/moodle/moodle/commit/7f5bd0da0e25feb3b6da3908b6672a58af82e12f
github.com/moodle/moodle/commit/b4da1e0ae4f63ef0bb14b8bf5c0b86cd00f2af4b
github.com/moodle/moodle/commit/d62d36c657a5df45ee286722490abb7901381da6
moodle.org/mod/forum/discuss.php?d=313685
nvd.nist.gov/vuln/detail/CVE-2015-3178
web.archive.org/web/20200228054910/www.securityfocus.com/bid/74726
web.archive.org/web/20201201000000*/www.securitytracker.com/id/1032358