Filtered by vendor Moodle
Subscribe
Search
Total
33 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5540 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. | |||||
| CVE-2023-5539 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. | |||||
| CVE-2021-43559 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-06-14 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2022-0335 | 1 Moodle | 1 Moodle | 2022-02-01 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2020-25699 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2021-20187 | 1 Moodle | 1 Moodle | 2021-02-01 | 6.5 MEDIUM | 7.2 HIGH |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
| CVE-2020-25630 | 1 Moodle | 1 Moodle | 2020-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-25629 | 1 Moodle | 1 Moodle | 2020-12-08 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-25698 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2016-7038 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 7.3 HIGH |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | |||||
| CVE-2016-2157 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins. | |||||
| CVE-2015-5338 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php. | |||||
| CVE-2015-5267 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |||||
| CVE-2015-3272 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.8 MEDIUM | 7.4 HIGH |
| Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. | |||||
| CVE-2016-3734 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | |||||
| CVE-2018-10891 | 1 Moodle | 1 Moodle | 2020-10-23 | 7.5 HIGH | 7.3 HIGH |
| A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank. | |||||
| CVE-2019-3849 | 1 Moodle | 1 Moodle | 2020-10-16 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. | |||||
| CVE-2019-10154 | 1 Moodle | 1 Moodle | 2020-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations. | |||||
| CVE-2018-1133 | 1 Moodle | 1 Moodle | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection. | |||||
| CVE-2020-10738 | 1 Moodle | 1 Moodle | 2020-05-22 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution. | |||||
| CVE-2012-1155 | 4 Debian, Fedoraproject, Moodle and 1 more | 4 Debian Linux, Fedora, Moodle and 1 more | 2019-11-22 | 5.0 MEDIUM | 7.5 HIGH |
| Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to | |||||
| CVE-2012-1156 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2019-11-22 | 5.0 MEDIUM | 7.5 HIGH |
| Moodle before 2.2.2 has users' private files included in course backups | |||||
| CVE-2012-1168 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2019-11-22 | 6.4 MEDIUM | 8.2 HIGH |
| Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified. | |||||
| CVE-2012-1170 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2019-11-15 | 5.0 MEDIUM | 7.5 HIGH |
| Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough | |||||
| CVE-2018-1082 | 1 Moodle | 1 Moodle | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site. | |||||
| CVE-2018-16854 | 1 Moodle | 1 Moodle | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15. | |||||
| CVE-2018-14630 | 1 Moodle | 1 Moodle | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. | |||||
| CVE-2019-10186 | 1 Moodle | 1 Moodle | 2019-08-27 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. | |||||
| CVE-2019-6970 | 1 Moodle | 1 Moodle | 2019-03-22 | 6.0 MEDIUM | 7.5 HIGH |
| Moodle 3.5.x before 3.5.4 allows SSRF. | |||||
| CVE-2018-1137 | 1 Moodle | 1 Moodle | 2018-06-25 | 5.5 MEDIUM | 8.1 HIGH |
| An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. | |||||
| CVE-2016-7919 | 1 Moodle | 1 Moodle | 2016-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields." | |||||
| CVE-2016-9186 | 1 Moodle | 1 Moodle | 2016-11-29 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | |||||
| CVE-2016-9187 | 1 Moodle | 1 Moodle | 2016-11-29 | 6.5 MEDIUM | 8.8 HIGH |
| Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | |||||