Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.3

CVE-2014-0218: Moodle URL Downloader Allows Malicious Script Injection

GHSA-ch68-5r37-p7c3 CVE-2014-0218
Summary

A security flaw in Moodle's URL Downloader feature allows attackers to inject malicious code into a website, potentially allowing them to steal sensitive information or take control of user sessions. This issue affects Moodle versions 2.3.11 and earlier, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3. To stay secure, update Moodle to the latest patched version.

What to do
  • Update moodle moodle to version 2.4.10.
  • Update moodle moodle to version 2.5.6.
  • Update moodle moodle to version 2.6.3.
Affected software
Ecosystem VendorProductAffected versions
composer moodle moodle < 2.4.10
>= 2.5.0, < 2.5.6
>= 2.6.0, < 2.6.3
Fix: upgrade to 2.4.10
– moodle moodle <= 2.3.11
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Original title
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows ...
Original description
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 27 May 2014 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026