Search
Total
2412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-2531 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2021-02-05 | 2.1 LOW | N/A |
| Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability." | |||||
| CVE-2001-1387 | 1 Netfilter | 1 Iptables | 2021-02-02 | 2.1 LOW | N/A |
| iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak. | |||||
| CVE-2014-9279 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 5.0 MEDIUM | N/A |
| The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL. | |||||
| CVE-2002-1718 | 1 Microsoft | 1 Internet Information Services | 2020-12-09 | 5.0 MEDIUM | N/A |
| Microsoft Internet Information Server (IIS) 5.1 may allow remote attackers to view the contents of a Frontpage Server Extension (FPSE) file, as claimed using an HTTP request for colegal.htm that contains .. (dot dot) sequences. | |||||
| CVE-2002-1717 | 1 Microsoft | 1 Internet Information Services | 2020-12-09 | 5.0 MEDIUM | N/A |
| Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. | |||||
| CVE-2002-0812 | 2 Hpe, Proxim | 6 Compaq Wl310, Compaq Wl310 Firmware, Orinoco Rg-1000 and 3 more | 2020-12-09 | 6.4 MEDIUM | N/A |
| Information leak in Compaq WL310, and the Orinoco Residential Gateway access point it is based on, uses a system identification string as a default SNMP read/write community string, which allows remote attackers to obtain and modify sensitive configuration information by querying for the identification string. | |||||
| CVE-2007-1562 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2020-12-09 | 6.8 MEDIUM | N/A |
| The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response. | |||||
| CVE-2015-0211 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service. | |||||
| CVE-2015-3180 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. | |||||
| CVE-2014-3543 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. | |||||
| CVE-2015-3176 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. | |||||
| CVE-2015-0215 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. | |||||
| CVE-2014-3542 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-7833 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. | |||||
| CVE-2014-7831 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. | |||||
| CVE-2014-7848 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | |||||
| CVE-2015-2266 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. | |||||
| CVE-2012-4407 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. | |||||
| CVE-2012-5473 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. | |||||
| CVE-2012-4403 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response. | |||||
| CVE-2014-0215 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. | |||||
| CVE-2013-1835 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
| Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. | |||||
| CVE-2013-1832 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. | |||||
| CVE-2014-0217 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL. | |||||
| CVE-2013-1831 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. | |||||
| CVE-2012-6104 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed. | |||||
| CVE-2013-4522 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server. | |||||
| CVE-2012-3394 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2013-1829 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role. | |||||
| CVE-2013-2243 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. | |||||
| CVE-2012-6105 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. | |||||
| CVE-2009-4300 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the user table, even when the cached hashes are not used by the plugin, which might make it easier for attackers to obtain credentials via unspecified vectors. | |||||
| CVE-2012-2353 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to obtain sensitive user information from hidden fields by leveraging the teacher role and navigating to "Enrolled users" under the Users Settings section. | |||||
| CVE-2009-4303 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hashes and (2) unspecified "secrets" in backup files, which might allow attackers to obtain sensitive information. | |||||
| CVE-2011-4593 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle user/action_redir group messages, which allows remote authenticated users to discover e-mail addresses by visiting the messaging interface. | |||||
| CVE-2011-4283 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterprise enrolment file in the course-files area, which allows remote attackers to obtain sensitive information via a request for imsenterprise-enrol.xml. | |||||
| CVE-2012-0792 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authenticated users to obtain the names and other details of arbitrary user accounts by searching for posts. | |||||
| CVE-2012-2357 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credentials by sniffing the network. | |||||
| CVE-2012-0800 | 1 Moodle | 1 Moodle | 2020-12-01 | 2.1 LOW | N/A |
| The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device. | |||||
| CVE-2009-4298 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| The LAMS module (mod/lams) for Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores the (1) username, (2) firstname, and (3) lastname fields within the user table, which allows attackers to obtain user account information via unknown vectors. | |||||
| CVE-2011-4279 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista. | |||||
| CVE-2011-4284 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile (aka My profile) block by visiting a user-context page. | |||||
| CVE-2011-4304 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to discover the name of any user via a beep operation. | |||||
| CVE-2012-0799 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page. | |||||
| CVE-2011-4581 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 allows remote authenticated users to discover the username of a wiki creator by visiting the history and deletion user interface. | |||||
| CVE-2006-5858 | 2 Adobe, Microsoft | 3 Coldfusion, Jrun, Internet Information Services | 2020-11-23 | 5.0 MEDIUM | N/A |
| Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file. | |||||
| CVE-2000-0649 | 1 Microsoft | 2 Internet Information Server, Internet Information Services | 2020-11-23 | 2.6 LOW | N/A |
| IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. | |||||
| CVE-2002-0419 | 1 Microsoft | 2 Internet Information Server, Internet Information Services | 2020-11-23 | 5.0 MEDIUM | N/A |
| Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate use, since authentication cannot proceed without specifying a scheme that is supported by both the client and the server. | |||||
| CVE-2002-0422 | 1 Microsoft | 1 Internet Information Services | 2020-11-23 | 2.6 LOW | N/A |
| IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header. | |||||
| CVE-2008-3914 | 1 Clamav | 1 Clamav | 2020-11-05 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in ClamAV before 0.94 have unknown impact and attack vectors related to file descriptor leaks on the "error path" in (1) libclamav/others.c and (2) libclamav/sis.c. | |||||