Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130
openwall.com/lists/oss-security/2015/07/13/2
github.com/moodle/moodle
github.com/moodle/moodle/commit/7b15a363201109354bbd6d51a7c70f50dac7b9d8
github.com/moodle/moodle/commit/a809a8dccea222a31e0828d4f17889035e6d1a36
github.com/moodle/moodle/commit/e96e66aa16dca5cbcdb1aef0f9499edf86f1404b
github.com/moodle/moodle/commit/ffe5c784889b3f7b2ba11cf9db881d54904623b7
moodle.org/mod/forum/discuss.php?d=316664
nvd.nist.gov/vuln/detail/CVE-2015-3274
web.archive.org/web/20150924032214/www.securitytracker.com/id/1032877