CVE-2017-2578 Moodle CVE debrief

Who should care

Moodle administrators, school and university IT teams, and anyone running Moodle instances where students or external users submit assignments should care most. Security teams should also review any deployments that expose assignment workflows to untrusted users.

Technical summary

The NVD record classifies this issue as CWE-79 and gives it the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. That means a remote attacker can leverage a crafted web input or content path associated with the assignment submission page so that script executes in another user’s browser after the user interacts with the page. NVD’s vulnerable CPE entries cover Moodle 3.1.0 through 3.1.3 and Moodle 3.2.0 release candidates and builds listed in the record.

Defensive priority

Medium

Recommended defensive actions

• Review whether your Moodle deployment matches the affected 3.x versions listed in NVD and prioritize remediation for internet-facing instances.
• Apply the vendor guidance referenced by NVD for the Moodle advisory and verify that the assignment submission page is no longer accepting unsanitized input.
• Test the assignment submission workflow after patching to confirm no legitimate functionality regressed.
• If immediate patching is not possible, reduce exposure by limiting who can submit assignments and monitoring for abnormal browser-side behavior on assignment pages.
• Use standard web application protections such as output encoding and input validation controls in custom integrations or plugins around assignment handling.

Evidence notes

The CVE description states there is XSS in the Moodle 3.x assignment submission page. NVD classifies the weakness as CWE-79 and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The NVD record also lists vulnerable Moodle CPEs including 3.1.0, 3.1.1, 3.1.2, 3.1.3, and 3.2.0 variants. NVD references a Moodle vendor advisory and a third-party advisory entry.

Official resources