Search
Total
132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5549 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. | |||||
| CVE-2023-5548 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||||
| CVE-2023-5545 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 5.3 MEDIUM |
| H5P metadata automatically populated the author with the user's username, which could be sensitive information. | |||||
| CVE-2023-5542 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-16 | N/A | 4.3 MEDIUM |
| Students in "Only see own membership" groups could see other students in the group, which should be hidden. | |||||
| CVE-2023-5541 | 1 Moodle | 1 Moodle | 2023-11-15 | N/A | 6.1 MEDIUM |
| The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. | |||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-11-15 | N/A | 5.4 MEDIUM |
| Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | |||||
| CVE-2023-5546 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-11-15 | N/A | 5.4 MEDIUM |
| ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2023-5547 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-11-15 | N/A | 6.1 MEDIUM |
| The course upload preview contained an XSS risk for users uploading unsafe data. | |||||
| CVE-2022-40316 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-08-08 | N/A | 4.3 MEDIUM |
| The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. | |||||
| CVE-2022-35651 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-07-29 | N/A | 6.1 MEDIUM |
| A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. | |||||
| CVE-2022-35653 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-07-28 | N/A | 6.1 MEDIUM |
| A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users. | |||||
| CVE-2021-32477 | 1 Moodle | 1 Moodle | 2022-07-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. | |||||
| CVE-2021-32478 | 1 Moodle | 1 Moodle | 2022-07-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. | |||||
| CVE-2021-43558 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-06-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. | |||||
| CVE-2021-43560 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-06-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events. | |||||
| CVE-2022-30597 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-06-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. | |||||
| CVE-2022-30596 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-06-13 | 3.5 LOW | 5.4 MEDIUM |
| A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2022-30598 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-06-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it. | |||||
| CVE-2022-0985 | 1 Moodle | 1 Moodle | 2022-05-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | |||||
| CVE-2022-0984 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-05-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | |||||
| CVE-2022-0334 | 1 Moodle | 1 Moodle | 2022-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability. | |||||
| CVE-2020-1692 | 1 Moodle | 1 Moodle | 2022-01-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. | |||||
| CVE-2019-18210 | 1 Moodle | 1 Moodle | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." | |||||
| CVE-2021-20280 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2019-3810 | 1 Moodle | 1 Moodle | 2021-11-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. | |||||
| CVE-2019-3847 | 1 Moodle | 1 Moodle | 2021-11-02 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. | |||||
| CVE-2019-3848 | 1 Moodle | 1 Moodle | 2021-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.) | |||||
| CVE-2020-25703 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-10-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10. | |||||
| CVE-2021-32244 | 1 Moodle | 1 Moodle | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field. | |||||
| CVE-2019-14827 | 1 Moodle | 1 Moodle | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | |||||
| CVE-2021-20282 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-20283 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-20281 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-20279 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2021-03-23 | 3.5 LOW | 5.4 MEDIUM |
| The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2019-14829 | 1 Moodle | 1 Moodle | 2021-03-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. | |||||
| CVE-2019-14830 | 1 Moodle | 1 Moodle | 2021-03-22 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app"). | |||||
| CVE-2019-14828 | 1 Moodle | 1 Moodle | 2021-03-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | |||||
| CVE-2019-14831 | 1 Moodle | 1 Moodle | 2021-03-22 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect. | |||||
| CVE-2021-20185 | 1 Moodle | 1 Moodle | 2021-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |||||
| CVE-2021-20183 | 1 Moodle | 1 Moodle | 2021-02-01 | 4.3 MEDIUM | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. | |||||
| CVE-2021-20186 | 1 Moodle | 1 Moodle | 2021-02-01 | 2.1 LOW | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. | |||||
| CVE-2021-20184 | 1 Moodle | 1 Moodle | 2021-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades. | |||||
| CVE-2020-25627 | 1 Moodle | 1 Moodle | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2. | |||||
| CVE-2020-25631 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8. | |||||
| CVE-2020-25628 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-25700 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2020-25702 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. | |||||
| CVE-2020-25701 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2016-2156 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request. | |||||
| CVE-2016-2155 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role. | |||||