MidnightBSD

Advisories for moodle

CVE-2004-0725 MEDIUM

Cross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 and 1.4 dev allows remote attackers to inject arbitrary web script or HTML via the file parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.1.1
moodle moodle 1.3.1
moodle moodle 1.3.2
CVE-2004-1424 MEDIUM

Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.4.1
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.3.3
moodle moodle 1.1.1
moodle moodle 1.3.4
moodle moodle 1.3.1
moodle moodle 1.3.2
moodle moodle 1.4.2
CVE-2004-1425 MEDIUM

Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.4.1
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.3.3
moodle moodle 1.1.1
moodle moodle 1.3.4
moodle moodle 1.3.1
moodle moodle 1.3.2
moodle moodle 1.4.2
CVE-2004-1711 MEDIUM

Cross-site scripting (XSS) vulnerability in post.php in Moodle before 1.3 allows remote attackers to inject arbitrary web script or HTML via the reply parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.3.3
moodle moodle 1.1.1
moodle moodle 1.3.1
moodle moodle 1.3.2
CVE-2004-1978 MEDIUM

Cross-site scripting (XSS) vulnerability in help.php in Moodle before 1.3 allows remote attackers to inject arbitrary HTML and web script via the text parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.1.1
CVE-2004-2232 HIGH

SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.4.1
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.3.3
moodle moodle 1.1.1
moodle moodle 1.3.4
moodle moodle 1.3.1
moodle moodle 1.3.2
CVE-2004-2233 HIGH

Unknown "front page vulnerability with Moodle servers" for Moodle before 1.3.2 has unknown impact and attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.1.1
moodle moodle 1.3.1
CVE-2004-2235 HIGH

Unknown vulnerability in Moodle before 1.2 has unknown impact and attack vectors, related to improper filtering of text.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.1.1
CVE-2004-2236 HIGH

Unknown vulnerability in Moodle before 1.3.3 has unknown impact and attack vectors, related to language setting.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.1.1
moodle moodle 1.3.1
moodle moodle 1.3.2
CVE-2004-2237 HIGH

Unknown vulnerability in Moodle before 1.3.4 has unknown impact and attack vectors, related to "strings in Moodle texts."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.2.1
moodle moodle 1.3.0
moodle moodle 1.3.3
moodle moodle 1.1.1
moodle moodle 1.3.1
moodle moodle 1.3.2
CVE-2005-2247 HIGH

Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.2.0
moodle moodle 1.4.1
moodle moodle 1.5_beta
moodle moodle 1.2.1
moodle moodle 1.3.3
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.1.1
moodle moodle 1.3.1
moodle moodle 1.3.0
moodle moodle 1.3.4
moodle moodle 1.3.2
moodle moodle 1.4.4
moodle moodle 1.4.2
moodle moodle 1.4.5
CVE-2005-3648 HIGH

Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.5.2
CVE-2005-3649 LOW

jumpto.php in Moodle 1.5.2 allows remote attackers to redirect users to other sites via the jump parameter.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.5.2
CVE-2006-0146 HIGH

The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
the_cacti_group cacti 0.8.6g
postnuke_software_foundation postnuke 0.761
mantis mantis 0.19.4
moodle moodle 1.5.3
mediabeez mediabeez *
john_lim adodb 4.66
john_lim adodb 4.68
mantis mantis 1.0.0_rc4
CVE-2006-0147 HIGH

Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
the_cacti_group cacti 0.8.6g
postnuke_software_foundation postnuke 0.761
mantis mantis 0.19.4
moodle moodle 1.5.3
john_lim adodb 4.66
john_lim adodb 4.68
mantis mantis 1.0.0_rc4
CVE-2010-1613 MEDIUM

Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-1614 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine. NOTE: vector 1 might be resultant from a cross-site request forgery (CSRF) vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-1615 HIGH

Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-1616 MEDIUM

Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-1617 MEDIUM

user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-1618 MEDIUM

Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
ja-sig phpcas_client_library 1.0.1
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
ja-sig phpcas_client_library 1.0.0
moodle moodle 1.9.3
CVE-2010-1619 MEDIUM

Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.8.5
moodle moodle 1.9.4
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.8.10
moodle moodle 1.8.8
moodle moodle 1.8.11
moodle moodle 1.8.6
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
CVE-2010-2228 MEDIUM

Cross-site scripting (XSS) vulnerability in the MNET access-control interface in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.7.4
moodle moodle 1.7.2
moodle moodle 1.3.3
moodle moodle 1.7.1
moodle moodle 1.6.0
moodle moodle 1.8.6
moodle moodle 1.3.0
moodle moodle 1.5.0
moodle moodle 1.5.2
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 1.4.4
moodle moodle 1.4.2
moodle moodle 1.9.4
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.6.7
moodle moodle 1.8.10
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 1.5.1
moodle moodle *
moodle moodle 1.5.3
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
moodle moodle 1.3.2
moodle moodle 1.9.8
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.7.3
moodle moodle 1.4.5
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.6
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.7.6
CVE-2010-2229 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.7.4
moodle moodle 1.7.2
moodle moodle 1.3.3
moodle moodle 1.7.1
moodle moodle 1.6.0
moodle moodle 1.8.6
moodle moodle 1.3.0
moodle moodle 1.5.0
moodle moodle 1.5.2
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 1.4.4
moodle moodle 1.4.2
moodle moodle 1.9.4
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.6.7
moodle moodle 1.8.10
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 1.5.1
moodle moodle *
moodle moodle 1.5.3
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
moodle moodle 1.3.2
moodle moodle 1.9.8
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.7.3
moodle moodle 1.4.5
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.6
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.7.6
CVE-2010-2230 MEDIUM

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.7.4
moodle moodle 1.7.2
moodle moodle 1.3.3
moodle moodle 1.7.1
moodle moodle 1.6.0
moodle moodle 1.8.6
moodle moodle 1.3.0
moodle moodle 1.5.0
moodle moodle 1.5.2
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 1.4.4
moodle moodle 1.4.2
moodle moodle 1.9.4
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.6.7
moodle moodle 1.8.10
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 1.5.1
moodle moodle *
moodle moodle 1.5.3
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
moodle moodle 1.3.2
moodle moodle 1.9.8
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.7.3
moodle moodle 1.4.5
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.6
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.7.6
CVE-2010-2231 MEDIUM

Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 1.7.4
moodle moodle 1.7.2
moodle moodle 1.3.3
moodle moodle 1.7.1
moodle moodle 1.6.0
moodle moodle 1.8.6
moodle moodle 1.3.0
moodle moodle 1.5.0
moodle moodle 1.5.2
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 1.4.4
moodle moodle 1.4.2
moodle moodle 1.9.4
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.6.7
moodle moodle 1.8.10
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 1.5.1
moodle moodle *
moodle moodle 1.5.3
moodle moodle 1.8.3
moodle moodle 1.9.7
moodle moodle 1.9.3
moodle moodle 1.3.2
moodle moodle 1.9.8
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 1.8.2
moodle moodle 1.9.6
moodle moodle 1.7.3
moodle moodle 1.4.5
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.6
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.7.6
CVE-2011-3757 MEDIUM

Moodle 2.0.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by webservice/xmlrpc/locallib.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
CVE-2011-4133 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Moodle 1.9.x before 1.9.11 allows remote attackers to hijack the authentication of unspecified victims for requests that modify an RSS feed in an RSS block.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.6
moodle moodle 1.9.2
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.9
moodle moodle 1.9.3
CVE-2011-4203 MEDIUM

CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 1.9.4
moodle moodle 2.0.3
moodle moodle 1.9.1
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.1.1
CVE-2011-4278 MEDIUM

Cross-site scripting (XSS) vulnerability in the tag autocomplete functionality in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
CVE-2011-4279 MEDIUM

Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4280 MEDIUM

Cross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka spikephpcoverage) library, as used in Moodle 2.0.x before 2.0.2 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
nimish_pachapurkar spike_phpcoverage *
moodle moodle 2.0.0
CVE-2011-4281 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 2.0.x before 2.0.2 allow remote attackers to hijack the authentication of arbitrary users for requests that mark the completion of (1) an activity or (2) a course.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4282 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the course-tags functionality in tag/coursetags_more.php in Moodle 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) sort or (2) show parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4283 MEDIUM

Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterprise enrolment file in the course-files area, which allows remote attackers to obtain sensitive information via a request for imsenterprise-enrol.xml.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
CVE-2011-4284 MEDIUM

Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile (aka My profile) block by visiting a user-context page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4285 MEDIUM

The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4286 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the media-filter implementation in filter/mediaplugin/filter.php in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) Flash Video (aka FLV) files and (2) YouTube videos.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
CVE-2011-4287 MEDIUM

admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4288 MEDIUM

Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
CVE-2011-4289 MEDIUM

Moodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4290 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in lib/weblib.php in Moodle 1.9.x before 1.9.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to URL encoding.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.6
moodle moodle 1.9.2
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 1.9.11
CVE-2011-4291 MEDIUM

Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted ratings operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4292 MEDIUM

Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.0
CVE-2011-4293 MEDIUM

The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
CVE-2011-4294 MEDIUM

The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
CVE-2011-4295 MEDIUM

The moodle_enrol_external:role_assign function in enrol/externallib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not have an authorization check, which allows remote authenticated users to gain privileges by making a role assignment.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
CVE-2011-4296 MEDIUM

lib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 assigns incorrect capabilities to the course-creator role, which allows remote authenticated users to modify course filters by leveraging this role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
CVE-2011-4297 MEDIUM

comment/lib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not properly restrict comment capabilities, which allows remote attackers to post a comment by leveraging the guest role and operating on a front-page activity.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
CVE-2011-4298 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki/ components in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allow remote attackers to hijack the authentication of arbitrary users for requests that modify wiki data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4299 MEDIUM

Cross-site scripting (XSS) vulnerability in mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via a wiki comment.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4300 MEDIUM

The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4301 MEDIUM

The MoodleQuickForm class in the Forms Library in lib/formslib.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4302 MEDIUM

mnet/xmlrpc/client.php in MNET in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not properly process the return value of the openssl_verify function, which allows remote attackers to bypass validation via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4303 MEDIUM

lib/db/upgrade.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not set the correct registration_hubs.secret value during installation, which allows remote attackers to bypass intended access restrictions by leveraging the hubs feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4304 MEDIUM

The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to discover the name of any user via a beep operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4305 MEDIUM

message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authenticated users to cause a denial of service (infinite request loop) via a URL that specifies a zero wait time for message refreshing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.12
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
CVE-2011-4306 MEDIUM

Cross-site scripting (XSS) vulnerability in course/editsection.html in Moodle 1.9.x before 1.9.14 allows remote authenticated users to inject arbitrary web script or HTML via crafted data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.12
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
CVE-2011-4307 MEDIUM

Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the section parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4308 MEDIUM

mod/forum/user.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 allows remote authenticated users to discover the names of other users via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4309 MEDIUM

Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to bypass intended access restrictions and perform global searches by leveraging the guest role and making a direct request to a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4581 MEDIUM

mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 allows remote authenticated users to discover the username of a wiki creator by visiting the history and deletion user interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4584 MEDIUM

The MNET authentication functionality in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote authenticated users to impersonate other user accounts by using the Login As feature in conjunction with a remote MNET single sign-on capability, as demonstrated by a Mahara site.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4585 MEDIUM

login/change_password.php in Moodle 1.9.x before 1.9.15 does not use https for the change-password form even if the httpslogin option is enabled, which allows remote attackers to obtain credentials by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-16,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 1.9.12
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
CVE-2011-4586 MEDIUM

CRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4587 MEDIUM

lib/moodlelib.php in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle certain zero values in the password policy, which makes it easier for remote attackers to obtain access by leveraging the possible existence of user accounts that have unchangeable blank passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4588 MEDIUM

The ip_in_range function in mnet/lib.php in MNET in Moodle 1.9.x before 1.9.15 uses an incorrect data type, which allows remote attackers to bypass intended IP address restrictions via an XMLRPC request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 1.9.12
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
CVE-2011-4591 MEDIUM

Cross-site scripting (XSS) vulnerability in the print_object function in lib/datalib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3, when a developer debugging script is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors involving object states.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4592 MEDIUM

The command-line cron implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly interact with IP blocking, which might allow remote attackers to bypass intended IP address restrictions by leveraging a configuration in which IP blocking was disabled to restore cron functionality.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.2
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2011-4593 MEDIUM

Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle user/action_redir group messages, which allows remote authenticated users to discover e-mail addresses by visiting the messaging interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 2.0.3
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-0792 MEDIUM

mod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authenticated users to obtain the names and other details of arbitrary user accounts by searching for posts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 1.9.12
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 1.9.15
CVE-2012-0793 MEDIUM

Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote attackers to view the profile images of arbitrary user accounts via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 1.9.15
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.9.4
moodle moodle 2.0.3
moodle moodle 1.9.1
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.1.1
CVE-2012-0794 MEDIUM

The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 1.9.15
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.9.4
moodle moodle 2.0.3
moodle moodle 1.9.1
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.1.1
CVE-2012-0795 MEDIUM

Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 does not validate e-mail address settings, which allows remote authenticated users to have an unspecified impact via a crafted address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 1.9.15
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.9.4
moodle moodle 2.0.3
moodle moodle 1.9.1
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.1.1
CVE-2012-0796 MEDIUM

class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.9.8
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 1.9.15
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.9.4
moodle moodle 2.0.3
moodle moodle 1.9.1
moodle moodle 1.9.14
moodle moodle 2.0.2
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 2.1.1
CVE-2012-0797 MEDIUM

The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-16,

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 2.2.0
CVE-2012-0798 MEDIUM

The self-enrolment functionality in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 allows remote authenticated users to obtain the manager role by leveraging the teacher role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.1
CVE-2012-0799 MEDIUM

Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.6
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.0.1
moodle moodle 2.0.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-0800 LOW

The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.0.1
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-0801 HIGH

lib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 does not properly handle multiple instances of a form element, which has unspecified impact and remote attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.1
CVE-2012-2354 MEDIUM

Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.1.1
moodle moodle 2.1.4
CVE-2012-2357 MEDIUM

The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credentials by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.1.1
moodle moodle 2.1.4
CVE-2012-2359 MEDIUM

admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to gain privileges by leveraging the teacher role and modifying their own capabilities, as demonstrated by obtaining the backup:userinfo capability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.0.7
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.0.8
moodle moodle 2.1.3
moodle moodle 2.0.1
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-2362 LOW

Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog implementation in Moodle 1.9.x before 1.9.18, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted parameter to blog/index.php.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 1.9.4
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.9.2
moodle moodle 1.9.1
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.14
moodle moodle 1.9.12
moodle moodle 1.9.16
moodle moodle 1.9.6
moodle moodle 1.9.7
moodle moodle 1.9.10
moodle moodle 1.9.9
moodle moodle 1.9.3
moodle moodle 1.9.15
CVE-2012-2364 LOW

Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.0.7
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.0.8
moodle moodle 2.1.3
moodle moodle 2.0.1
moodle moodle 2.1.2
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-3390 LOW

lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly restrict file access after a block has been hidden, which allows remote authenticated users to obtain sensitive information by reading a file that is embedded in a block.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.1.6
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.1
moodle moodle 2.1.4
CVE-2012-3394 MEDIUM

auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.1.6
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2012-3396 LOW

Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.1.6
moodle moodle 2.0.9
moodle moodle 2.0.7
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.0.8
moodle moodle 2.1.3
moodle moodle 2.0.1
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.1.1
CVE-2012-6087 MEDIUM

repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle *
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
CVE-2012-6098 MEDIUM

grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 2.4.0
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.9.16
moodle moodle 1.9.6
moodle moodle 1.9.10
moodle moodle 1.9.15
moodle moodle 2.3.1
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.2.4
moodle moodle 1.9.1
moodle moodle 1.9.18
moodle moodle 2.3.2
moodle moodle 1.9.14
moodle moodle 2.2.2
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2012-6099 MEDIUM

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.4.0
moodle moodle 2.1.6
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6100 MEDIUM

report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/user:viewhiddendetails capability requirement, which allows remote authenticated users to discover a hidden lastaccess value by reading an activity report.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.2.2
moodle moodle 2.2.6
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6101 MEDIUM

Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.2.2
moodle moodle 2.2.6
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6102 MEDIUM

lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.3.0
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.3.1
CVE-2012-6103 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.2.2
moodle moodle 2.2.6
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6104 MEDIUM

blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.2.2
moodle moodle 2.2.6
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6105 MEDIUM

blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.4.0
moodle moodle 2.1.6
moodle moodle 2.2.4
moodle moodle 2.3.2
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2012-6106 MEDIUM

calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
CVE-2012-6112 MEDIUM

classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
tinymce spellchecker_php 2.0.1
tinymce spellchecker_php 2.0.2
moodle moodle 2.4.0
tinymce spellchecker_php 2.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.2.4
tinymce spellchecker_php 2.0.6
moodle moodle 2.3.2
tinymce spellchecker_php 2.0.3
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-1829 MEDIUM

calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.1
CVE-2013-1830 MEDIUM

user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 1.6.0
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
fedoraproject fedora 17
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.13
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 1.7.1
fedoraproject fedora 18
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-1831 MEDIUM

lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 1.6.0
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.13
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 1.7.1
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-1832 MEDIUM

repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.0.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-1833 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.0.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-1834 MEDIUM

notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.9.16
moodle moodle 1.9.10
moodle moodle 2.0.0
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 1.9.18
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 1.9.15
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.9.1
moodle moodle 2.0.7
moodle moodle 1.9.14
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 1.9.19
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2013-1835 LOW

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.0.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-1836 MEDIUM

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 2.0.0
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.0.3
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.0.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle 2.1.3
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2079 MEDIUM

mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.4.0
moodle moodle 2.3.4
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.3.5
moodle moodle 2.3.3
moodle moodle 2.3.1
CVE-2013-2080 MEDIUM

The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.3.5
moodle moodle 2.3.3
moodle moodle 2.2.2
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.8
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.10
moodle moodle 2.2.5
moodle moodle 2.3.1
CVE-2013-2081 MEDIUM

Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2082 MEDIUM

Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2083 MEDIUM

The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.3.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2242 MEDIUM

mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2243 MEDIUM

mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2244 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in lib/conditionlib.php in Moodle 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the conditional access rule value of a user field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.2
moodle moodle 2.4.0
moodle moodle 2.4.1
moodle moodle 2.4.3
moodle moodle 2.4.4
moodle moodle 2.5.0
CVE-2013-2245 MEDIUM

rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-2246 MEDIUM

mod/feedback/lib.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/feedback:view capability before displaying recent feedback, which allows remote authenticated users to obtain sensitive information via a request for all course feedback that has occurred since a specified time.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-3630 MEDIUM

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 2.4.4
moodle moodle 1.6.0
moodle moodle 2.5.1
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 2.2.8
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 1.8.13
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 2.4.5
moodle moodle 1.7.1
moodle moodle 2.3.5
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 2.2.10
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 2.2.11
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-4313 HIGH

Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle *
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.2.5
CVE-2013-4341 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.3.2
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.3.1
CVE-2013-4522 MEDIUM

lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 2.4.4
moodle moodle 1.6.0
moodle moodle 2.5.1
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 2.2.8
moodle moodle 2.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 2.4.6
moodle moodle 1.8.13
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 2.4.5
moodle moodle 1.7.1
moodle moodle 2.3.5
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 2.2.10
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-4523 LOW

Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted message.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 2.4.4
moodle moodle 1.6.0
moodle moodle 2.5.1
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 2.2.8
moodle moodle 2.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 2.4.6
moodle moodle 1.8.13
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 2.4.5
moodle moodle 1.7.1
moodle moodle 2.3.5
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 2.2.10
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-4524 MEDIUM

Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 2.4.4
moodle moodle 1.6.0
moodle moodle 2.5.1
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 2.2.8
moodle moodle 2.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 2.4.6
moodle moodle 1.8.13
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 2.4.5
moodle moodle 1.7.1
moodle moodle 2.3.5
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 2.2.10
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-4525 LOW

Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via an answer to a text-based quiz question.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 1.7.4
moodle moodle 2.4.0
moodle moodle 1.3.3
moodle moodle 2.4.4
moodle moodle 1.6.0
moodle moodle 2.5.1
moodle moodle 1.9.11
moodle moodle 1.9.13
moodle moodle 1.8.6
moodle moodle 1.9.16
moodle moodle 1.3.0
moodle moodle 1.5.2
moodle moodle 2.2.8
moodle moodle 2.5.2
moodle moodle 1.4.2
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 1.6.7
moodle moodle 1.3.1
moodle moodle 1.8.8
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 1.8.3
moodle moodle 2.2.0
moodle moodle 1.3.2
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 1.4.1
moodle moodle 1.6.8
moodle moodle 1.2.1
moodle moodle 1.9.2
moodle moodle 1.9.5
moodle moodle 1.5
moodle moodle 1.4.3
moodle moodle 2.4.6
moodle moodle 1.8.13
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 1.9.15
moodle moodle 1.7.3
moodle moodle 2.3.1
moodle moodle 1.4.5
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 1.6.6
moodle moodle 2.0.7
moodle moodle 1.9.12
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.2.3
moodle moodle 1.7.6
moodle moodle 1.7.2
moodle moodle 2.4.5
moodle moodle 1.7.1
moodle moodle 2.3.5
moodle moodle 1.5.0
moodle moodle 1.9.10
moodle moodle 1.7.5
moodle moodle 1.3.4
moodle moodle 2.0.0
moodle moodle 1.4.4
moodle moodle 2.2.10
moodle moodle 1.9.4
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 1.9.18
moodle moodle 1.6.1
moodle moodle 1.1.1
moodle moodle 1.8.10
moodle moodle 1.5.1
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 1.5.3
moodle moodle 2.3.0
moodle moodle 1.9.7
moodle moodle 2.2.1
moodle moodle 1.9.3
moodle moodle 2.1.8
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 1.9.8
moodle moodle 1.9.17
moodle moodle 1.8.4
moodle moodle 1.8.7
moodle moodle 1.8.9
moodle moodle 1.8.1
moodle moodle 1.6.5
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 1.8.2
moodle moodle 2.0.8
moodle moodle 2.0.1
moodle moodle 1.9.6
moodle moodle 2.0.4
moodle moodle 2.0.6
moodle moodle 1.8.5
moodle moodle 1.2.0
moodle moodle 1.6.2
moodle moodle 1.6.3
moodle moodle 1.9.1
moodle moodle 1.6.4
moodle moodle 1.8.11
moodle moodle 1.9.14
moodle moodle 1.8.12
moodle moodle 2.1.0
moodle moodle 1.9.9
moodle moodle 2.1.5
moodle moodle 1.8.14
moodle moodle 2.1.1
CVE-2013-4938 MEDIUM

The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.2.8
moodle moodle 2.2.10
moodle moodle 2.3.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.2.4
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.2
moodle moodle 2.2.2
moodle moodle 2.1.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.1.0
moodle moodle 2.2.0
moodle moodle 2.1.5
moodle moodle 2.2.1
moodle moodle 2.2.3
moodle moodle 2.1.8
moodle moodle 2.1.1
moodle moodle 2.1.9
moodle moodle 2.2.5
CVE-2013-4939 MEDIUM

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.4
yahoo yui 3.4.0
moodle moodle 2.3.5
yahoo yui 3.0.0
yahoo yui 3.5.0
moodle moodle 2.2.8
yahoo yui 3.9.1
yahoo yui 3.10.1
moodle moodle 2.2.10
yahoo yui 3.7.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
yahoo yui 3.5.1
moodle moodle 2.4.3
yahoo yui 3.7.2
moodle moodle 2.3.2
yahoo yui 3.7.3
moodle moodle 2.2.2
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
yahoo yui 3.4.1
moodle moodle 2.2.1
yahoo yui 3.10.2
yahoo yui 3.2.0
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
yahoo yui 3.1.0
yahoo yui 3.3.0
moodle moodle 2.5.0
moodle moodle 2.3.3
yahoo yui 3.9.0
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.3.1
yahoo yui 3.8.1
moodle moodle 2.2.4
yahoo yui 3.7.0
yahoo yui 3.6.0
yahoo yui 3.8.0
yahoo yui 3.1.2
yahoo yui 3.10.0
moodle moodle 2.1.3
moodle moodle 2.4.1
yahoo yui 3.1.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2013-4940 MEDIUM

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.4
yahoo yui 3.4.0
moodle moodle 2.3.5
yahoo yui 3.0.0
yahoo yui 3.5.0
moodle moodle 2.2.8
yahoo yui 3.9.1
yahoo yui 3.10.1
moodle moodle 2.2.10
yahoo yui 3.7.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
yahoo yui 3.5.1
moodle moodle 2.4.3
yahoo yui 3.7.2
moodle moodle 2.3.2
yahoo yui 3.7.3
moodle moodle 2.2.2
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
yahoo yui 3.4.1
moodle moodle 2.2.1
yahoo yui 3.10.2
yahoo yui 3.2.0
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
yahoo yui 3.1.0
yahoo yui 3.3.0
moodle moodle 2.5.0
moodle moodle 2.3.3
yahoo yui 3.9.0
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.3.1
yahoo yui 3.8.1
moodle moodle 2.2.4
yahoo yui 3.7.0
yahoo yui 3.6.0
yahoo yui 3.8.0
yahoo yui 3.1.2
yahoo yui 3.10.0
moodle moodle 2.1.3
moodle moodle 2.4.1
yahoo yui 3.1.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2013-4941 MEDIUM

Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.4
yahoo yui 3.4.0
moodle moodle 2.3.5
yahoo yui 3.0.0
yahoo yui 3.5.0
moodle moodle 2.2.8
yahoo yui 3.9.1
yahoo yui 3.10.1
moodle moodle 2.2.10
yahoo yui 3.7.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
yahoo yui 3.5.1
moodle moodle 2.4.3
yahoo yui 3.7.2
moodle moodle 2.3.2
yahoo yui 3.7.3
moodle moodle 2.2.2
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
yahoo yui 3.4.1
moodle moodle 2.2.1
yahoo yui 3.10.2
yahoo yui 3.2.0
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
yahoo yui 3.1.0
yahoo yui 3.3.0
moodle moodle 2.5.0
moodle moodle 2.3.3
yahoo yui 3.9.0
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.3.1
yahoo yui 3.8.1
moodle moodle 2.2.4
yahoo yui 3.7.0
yahoo yui 3.6.0
yahoo yui 3.8.0
yahoo yui 3.1.2
yahoo yui 3.10.0
moodle moodle 2.1.3
moodle moodle 2.4.1
yahoo yui 3.1.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2013-4942 MEDIUM

Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.4
moodle moodle 2.3.5
yahoo yui 3.5.0
moodle moodle 2.2.8
yahoo yui 3.9.1
yahoo yui 3.10.1
moodle moodle 2.2.10
yahoo yui 3.7.1
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
yahoo yui 3.5.1
moodle moodle 2.4.3
yahoo yui 3.7.2
moodle moodle 2.3.2
yahoo yui 3.7.3
moodle moodle 2.2.2
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
yahoo yui 3.10.2
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.5.0
moodle moodle 2.3.3
yahoo yui 3.9.0
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.3.1
yahoo yui 3.8.1
moodle moodle 2.2.4
yahoo yui 3.7.0
yahoo yui 3.6.0
yahoo yui 3.8.0
yahoo yui 3.10.0
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2013-5674 HIGH

badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.5.1
moodle moodle 2.5.0
CVE-2013-7341 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
flowplayer flowplayer_flash 3.0.5
flowplayer flowplayer_flash 3.1.3
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
flowplayer flowplayer_flash 3.2.0
moodle moodle 2.6.0
flowplayer flowplayer_flash *
flowplayer flowplayer_flash 3.2.2
moodle moodle 2.6.1
flowplayer flowplayer_flash 3.0.3
flowplayer flowplayer_flash 3.1.2
moodle moodle 2.2.8
flowplayer flowplayer_flash 3.2.3
flowplayer flowplayer_flash 3.1.1
flowplayer flowplayer_flash 3.2.6
moodle moodle 2.0.0
moodle moodle 2.2.10
flowplayer flowplayer_flash 3.2.9
moodle moodle 2.5.2
flowplayer flowplayer_flash 3.0.6
flowplayer flowplayer_flash 3.2.7
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
flowplayer flowplayer_flash 3.1.0
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
flowplayer flowplayer_flash 3.2.12
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
flowplayer flowplayer_flash 3.1.4
flowplayer flowplayer_flash 3.2.10
flowplayer flowplayer_flash 3.2.14
moodle moodle 2.1.7
moodle moodle 2.2.7
flowplayer flowplayer_flash 3.0.1
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
flowplayer flowplayer_flash 3.2.4
moodle moodle 2.0.1
flowplayer flowplayer_flash 3.2.1
flowplayer flowplayer_flash 3.2.8
flowplayer flowplayer_flash 3.0.4
flowplayer flowplayer_flash 3.0.0
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
flowplayer flowplayer_flash 3.2.11
moodle moodle 2.0.3
moodle moodle 2.2.4
flowplayer flowplayer_flash 3.0.2
moodle moodle 2.4.8
flowplayer flowplayer_flash 3.2.5
moodle moodle 2.0.7
flowplayer flowplayer_flash 3.1.5
flowplayer flowplayer_flash 3.2.13
moodle moodle 2.1.3
flowplayer flowplayer_flash 3.2.15
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0008 MEDIUM

lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 logs cleartext passwords, which allows remote authenticated administrators to obtain sensitive information by reading the Config Changes Report.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
CVE-2014-0009 MEDIUM

course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0010 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
fedoraproject fedora 19
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
fedoraproject fedora 20
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0122 MEDIUM

mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0123 MEDIUM

The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1) view and (2) edit access, which allows remote authenticated users to perform wiki operations by leveraging the student role and using the Recent Activity block to reach the individual wiki of an arbitrary student.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0124 MEDIUM

The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0125 MEDIUM

repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0126 MEDIUM

Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0127 MEDIUM

The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0129 MEDIUM

badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issued, which allows remote authenticated users to modify the visibility of an arbitrary badge via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0213 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0214 MEDIUM

login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0215 MEDIUM

The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0216 MEDIUM

The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-0217 MEDIUM

enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.1
moodle moodle 2.6.2
moodle moodle 2.6.0
CVE-2014-0218 MEDIUM

Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-2571 LOW

Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-2572 MEDIUM

mod/assign/externallib.php in Moodle 2.6.x before 2.6.2 does not properly handle assignment web-service parameters, which might allow remote authenticated users to modify grade metadata via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.1
moodle moodle 2.6.0
CVE-2014-3541 HIGH

The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3542 MEDIUM

mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3543 MEDIUM

mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3544 LOW

Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3545 MEDIUM

Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3546 MEDIUM

Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3547 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.5.6
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.2
CVE-2014-3548 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3549 MEDIUM

Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.x before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted username that is improperly handled during the logging of an invalid login attempt.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.7.0
CVE-2014-3550 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.7.0
CVE-2014-3551 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3552 MEDIUM

The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
CVE-2014-3553 MEDIUM

mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.4.6
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.4.2
moodle moodle 2.3.6
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.4.9
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.5.2
moodle moodle 2.3.1
moodle moodle 2.3.9
moodle moodle 2.3.4
moodle moodle 2.4.8
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.4.7
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.3.7
moodle moodle 2.4.1
moodle moodle 2.3.0
moodle moodle 2.7.0
CVE-2014-3617 MEDIUM

The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.0.5
moodle moodle 2.4.0
moodle moodle 2.4.5
moodle moodle 2.4.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.3.5
moodle moodle 2.7.1
moodle moodle 2.4.10
moodle moodle 2.6.0
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.6.3
moodle moodle 2.2.8
moodle moodle 2.0.0
moodle moodle 2.2.10
moodle moodle 2.5.2
moodle moodle 2.1.6
moodle moodle 2.1.10
moodle moodle 2.3.4
moodle moodle 2.6.4
moodle moodle 2.4.3
moodle moodle 2.3.10
moodle moodle 2.3.2
moodle moodle 2.0.9
moodle moodle 2.4.7
moodle moodle 2.2.11
moodle moodle 2.2.2
moodle moodle 2.0.2
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.2.9
moodle moodle 2.2.6
moodle moodle 2.3.7
moodle moodle 2.1.2
moodle moodle 2.3.0
moodle moodle 2.2.0
moodle moodle 2.7.0
moodle moodle 2.2.1
moodle moodle 2.1.8
moodle moodle 2.1.9
moodle moodle 2.2.5
moodle moodle 2.1.7
moodle moodle 2.2.7
moodle moodle 2.4.6
moodle moodle 2.3.8
moodle moodle 2.5.0
moodle moodle 2.3.3
moodle moodle 2.1.4
moodle moodle 2.4.2
moodle moodle 2.0.8
moodle moodle 2.3.6
moodle moodle 2.0.1
moodle moodle 2.4.9
moodle moodle 2.3.11
moodle moodle 2.5.7
moodle moodle 2.6.2
moodle moodle 2.0.4
moodle moodle 2.3.1
moodle moodle 2.0.6
moodle moodle 2.3.9
moodle moodle 2.0.3
moodle moodle 2.2.4
moodle moodle 2.4.8
moodle moodle 2.0.7
moodle moodle 2.5.6
moodle moodle 2.1.3
moodle moodle 2.4.1
moodle moodle 2.1.0
moodle moodle 2.1.5
moodle moodle 2.2.3
moodle moodle 2.1.1
CVE-2014-7830 LOW

Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7831 MEDIUM

lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7832 MEDIUM

mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7833 MEDIUM

mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7834 MEDIUM

mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7835 LOW

webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7836 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7837 MEDIUM

mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7838 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7845 HIGH

The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7846 MEDIUM

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7847 MEDIUM

iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-7848 MEDIUM

lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-9059 MEDIUM

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2014-9060 MEDIUM

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.5.8
moodle moodle 2.5.2
CVE-2015-0211 MEDIUM

mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0212 LOW

Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0213 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary module in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allow remote attackers to hijack the authentication of unspecified victims.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0214 MEDIUM

message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0215 MEDIUM

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0216 LOW

access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.1
moodle moodle 2.8.0
CVE-2015-0217 MEDIUM

filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-0218 MEDIUM

Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.6.5
moodle moodle 2.6.4
moodle moodle 2.5.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.7.0
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
CVE-2015-1493 MEDIUM

Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
CVE-2015-2266 MEDIUM

message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2267 MEDIUM

mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2268 MEDIUM

filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2269 LOW

Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2270 MEDIUM

lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-17,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2271 MEDIUM

tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2272 MEDIUM

login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-2273 LOW

Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3174 LOW

mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3175 MEDIUM

Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3176 MEDIUM

The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3177 LOW

Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request.

CVSS 2.0

Severity: LOW

Problem Type: CWE-17,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.8.4
moodle moodle 2.8.1
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.8.3
CVE-2015-3178 LOW

Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3179 LOW

login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3180 MEDIUM

lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3181 MEDIUM

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.5.1
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.5.4
moodle moodle 2.7.1
moodle moodle 2.5.0
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.5.5
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.5.7
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.5.8
moodle moodle 2.5.2
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.5.6
moodle moodle *
moodle moodle 2.5.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3272 MEDIUM

Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.7.1
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.9.0
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3273 MEDIUM

mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group authorization.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.9.0
CVE-2015-3274 MEDIUM

Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.6.5
moodle moodle 2.6.8
moodle moodle 2.6.7
moodle moodle 2.8.1
moodle moodle 2.7.1
moodle moodle 2.6.0
moodle moodle 2.7.2
moodle moodle 2.6.1
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.6.3
moodle moodle 2.8.5
moodle moodle 2.6.2
moodle moodle 2.8.0
moodle moodle 2.6.6
moodle moodle 2.6.9
moodle moodle 2.7.4
moodle moodle 2.6.4
moodle moodle 2.7.7
moodle moodle 2.9.0
moodle moodle 2.6.10
moodle moodle 2.8.3
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
CVE-2015-3275 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1) mod/scorm/player.php or (2) mod/scorm/prereqs.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5264 MEDIUM

The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5265 MEDIUM

The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5266 MEDIUM

The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5267 MEDIUM

lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-254,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5268 MEDIUM

The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5269 LOW

Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.8.3
moodle moodle 2.7.2
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.5
moodle moodle 2.7.9
moodle moodle 2.8.0
CVE-2015-5272 MEDIUM

The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.7.4
moodle moodle 2.7.6
moodle moodle 2.7.3
moodle moodle 2.7.8
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.7.7
moodle moodle 2.7.9
moodle moodle 2.7.1
moodle moodle 2.7.2
CVE-2015-5331 MEDIUM

Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.9.2
CVE-2015-5332 HIGH

Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.8.3
moodle moodle 2.8.4
moodle moodle 2.8.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
CVE-2015-5335 MEDIUM

Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5336 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5337 MEDIUM

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5338 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5339 MEDIUM

The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5340 MEDIUM

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5341 MEDIUM

mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2015-5342 MEDIUM

The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
CVE-2016-0724 MEDIUM

The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
fedoraproject fedora 22
moodle moodle 2.7.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
fedoraproject fedora 23
moodle moodle 2.7.9
moodle moodle 2.7.11
CVE-2016-0725 MEDIUM

Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.9.3
fedoraproject fedora 22
moodle moodle 2.8.2
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 3.0.1
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.8
fedoraproject fedora 23
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
CVE-2016-2151 MEDIUM

user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2152 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2153 MEDIUM

Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL, as demonstrated by a search form field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2154 MEDIUM

admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.9.3
moodle moodle 2.8.2
moodle moodle 2.9.4
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.0.2
CVE-2016-2155 MEDIUM

The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.9.3
moodle moodle 2.8.2
moodle moodle 2.9.4
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.8
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.0.2
CVE-2016-2156 MEDIUM

calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2157 MEDIUM

Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2158 MEDIUM

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2159 MEDIUM

The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-2190 MEDIUM

Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle *
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-3729 MEDIUM

The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.7.13
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 2.9.5
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-3731 MEDIUM

Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.9.3
moodle moodle 2.8.2
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.8
moodle moodle 2.8.5
moodle moodle 2.9.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.0.2
CVE-2016-3732 MEDIUM

The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.7.13
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 2.9.5
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-3733 MEDIUM

The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.7.13
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 2.9.5
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-3734 MEDIUM

Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.7.10
moodle moodle 2.7.3
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.7.13
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.7.4
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.7.7
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.8.8
moodle moodle 2.7.9
moodle moodle 2.9.5
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2016-5012 MEDIUM

In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.1.0
CVE-2016-5013 MEDIUM

In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-5014 MEDIUM

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-7038 MEDIUM

In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-640,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 2.9.7
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.1.1
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 3.0.5
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-7919 MEDIUM

Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-200,CWE-89,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
CVE-2016-8642 MEDIUM

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 2.9.7
moodle moodle 3.0.6
moodle moodle 2.9.8
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.1.1
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.1.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 3.0.5
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-8643 MEDIUM

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 2.9.7
moodle moodle 3.0.6
moodle moodle 2.9.8
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.1.1
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.1.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 3.0.5
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-8644 MEDIUM

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 2.9.7
moodle moodle 3.0.6
moodle moodle 2.9.8
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.1.1
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.1.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 3.0.5
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2016-9186 MEDIUM

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2016-9187 MEDIUM

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2016-9188 MEDIUM

Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2017-12156 MEDIUM

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.1.6
moodle moodle 3.2.5
moodle moodle 3.1.5
moodle moodle 3.0.6
moodle moodle 3.0.1
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.0.9
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 3.0.4
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.1.7
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 3.3.0
moodle moodle 3.1.8
moodle moodle 3.3.2
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.10
moodle moodle 3.2.4
moodle moodle 3.0.5
moodle moodle 3.2.3
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 3.3.1
CVE-2017-12157 MEDIUM

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.1.6
moodle moodle 3.1.5
moodle moodle 3.0.6
moodle moodle 3.0.1
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.0.9
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 3.0.4
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.1.7
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 3.3.0
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.10
moodle moodle 3.2.4
moodle moodle 3.0.5
moodle moodle 3.2.3
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 3.3.1
CVE-2017-15110 MEDIUM

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2017-2576 MEDIUM

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle 2.8.6
moodle moodle 2.8.2
moodle moodle 2.8.1
moodle moodle 2.8.7
moodle moodle 2.9.6
moodle moodle 2.9.7
moodle moodle 3.0.6
moodle moodle 2.9.8
moodle moodle 3.0.1
moodle moodle 2.8.10
moodle moodle 2.8.12
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 3.0.4
moodle moodle 2.8.9
moodle moodle 2.8.4
moodle moodle 2.8.5
moodle moodle 2.8.0
moodle moodle 2.9.2
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 2.9.3
moodle moodle 2.9.4
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 2.9.1
moodle moodle 2.9.0
moodle moodle 3.0.0
moodle moodle 2.8.3
moodle moodle 2.8.11
moodle moodle *
moodle moodle 3.0.5
moodle moodle 2.8.8
moodle moodle 2.9.5
moodle moodle 2.9.9
moodle moodle 3.1.0
moodle moodle 3.0.2
CVE-2017-2578 MEDIUM

In Moodle 3.x, there is XSS in the assignment submission page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
moodle moodle 3.1.1
moodle moodle 3.1.3
moodle moodle 3.1.0
moodle moodle 3.2.0
CVE-2017-2641 HIGH

In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
moodle moodle 3.0.6
moodle moodle 2.7.14
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.7.15
moodle moodle 3.2.1
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 2.7.10
moodle moodle 3.0.4
moodle moodle 2.7.3
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.7.13
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 2.7.17
moodle moodle 3.1.4
moodle moodle 2.7.16
moodle moodle 2.7.4
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 2.7.7
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.5
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.7.18
moodle moodle 2.7.9
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2017-2642 MEDIUM

Moodle 3.x has user fullname disclosure on the user preferences page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.1.6
moodle moodle 3.1.3
moodle moodle 3.3.0
moodle moodle 3.1.5
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.1.1
moodle moodle 3.2.3
moodle moodle 3.1.0
moodle moodle 3.2.0
moodle moodle 3.3.1
CVE-2017-2643 MEDIUM

In Moodle 3.2.x, global search displays user names for unauthenticated users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.2.1
moodle moodle 3.2.0
CVE-2017-2644 MEDIUM

In Moodle 3.x, XSS can occur via evidence of prior learning.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.2.1
moodle moodle 3.1.1
moodle moodle 3.1.3
moodle moodle 3.1.0
moodle moodle 3.2.0
CVE-2017-2645 MEDIUM

In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.2.1
moodle moodle 3.1.1
moodle moodle 3.1.3
moodle moodle 3.1.0
moodle moodle 3.2.0
CVE-2017-7298 LOW

In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.2.2
CVE-2017-7489 MEDIUM

In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
moodle moodle 3.0.6
moodle moodle 2.7.14
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.7.15
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 2.7.10
moodle moodle 3.0.4
moodle moodle 2.7.3
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.7.13
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 2.7.17
moodle moodle 3.1.4
moodle moodle 2.7.16
moodle moodle 2.7.4
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 2.7.7
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.5
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.7.18
moodle moodle 2.7.9
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2017-7490 MEDIUM

In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
moodle moodle 3.0.6
moodle moodle 2.7.14
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.7.15
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 2.7.10
moodle moodle 3.0.4
moodle moodle 2.7.3
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.7.13
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 2.7.17
moodle moodle 3.1.4
moodle moodle 2.7.16
moodle moodle 2.7.4
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 2.7.7
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.5
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.7.18
moodle moodle 2.7.9
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2017-7491 MEDIUM

In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
moodle moodle 3.0.6
moodle moodle 2.7.14
moodle moodle 2.7.1
moodle moodle 2.7.2
moodle moodle 3.0.1
moodle moodle 2.7.15
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.1.1
moodle moodle 3.0.7
moodle moodle 2.7.10
moodle moodle 3.0.4
moodle moodle 2.7.3
moodle moodle 2.7.8
moodle moodle 2.7.12
moodle moodle 2.7.13
moodle moodle 3.2.0
moodle moodle 3.1.2
moodle moodle 2.7.17
moodle moodle 3.1.4
moodle moodle 2.7.16
moodle moodle 2.7.4
moodle moodle 3.0.3
moodle moodle 3.1.3
moodle moodle 2.7.7
moodle moodle 3.0.0
moodle moodle 3.0.8
moodle moodle 3.0.5
moodle moodle 2.7.6
moodle moodle 2.7.0
moodle moodle 2.7.5
moodle moodle 2.7.18
moodle moodle 2.7.9
moodle moodle 3.1.0
moodle moodle 3.0.2
moodle moodle 2.7.11
CVE-2017-7531 MEDIUM

In Moodle 3.3, the course overview block reveals activities in hidden courses.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.3.0
CVE-2017-7532 MEDIUM

In Moodle 3.x, course creators are able to change system default settings for courses.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
moodle moodle 3.1.2
moodle moodle 3.1.4
moodle moodle 3.1.6
moodle moodle 3.1.3
moodle moodle 3.3.0
moodle moodle 3.1.5
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.1.1
moodle moodle 3.2.3
moodle moodle 3.1.0
moodle moodle 3.2.0
moodle moodle 3.3.1
CVE-2018-1042 MEDIUM

Moodle 3.x has Server Side Request Forgery in the filepicker.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
moodle moodle 3.2.6
moodle moodle 3.3.0
moodle moodle 3.2.5
moodle moodle 3.3.2
moodle moodle 3.3.3
moodle moodle *
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.2.4
moodle moodle 3.2.3
moodle moodle 3.2.0
moodle moodle 3.3.1
moodle moodle 3.4.0
CVE-2018-1043 MEDIUM

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle 3.2.6
moodle moodle 3.3.0
moodle moodle 3.2.5
moodle moodle 3.3.2
moodle moodle 3.3.3
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.2.4
moodle moodle 3.2.3
moodle moodle 3.2.0
moodle moodle 3.3.1
moodle moodle 3.4.0
CVE-2018-1044 MEDIUM

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle 3.2.6
moodle moodle 3.3.0
moodle moodle 3.2.5
moodle moodle 3.3.2
moodle moodle 3.3.3
moodle moodle *
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.2.4
moodle moodle 3.2.3
moodle moodle 3.2.0
moodle moodle 3.3.1
moodle moodle 3.4.0
CVE-2018-1045 LOW

In Moodle 3.x, there is XSS via a calendar event name.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.2.6
moodle moodle 3.3.0
moodle moodle 3.2.5
moodle moodle 3.3.2
moodle moodle 3.3.3
moodle moodle *
moodle moodle 3.2.1
moodle moodle 3.2.2
moodle moodle 3.2.4
moodle moodle 3.2.3
moodle moodle 3.2.0
moodle moodle 3.3.1
CVE-2018-1081 MEDIUM

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1082 MEDIUM

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-287,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-10889 MEDIUM

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-10890 MEDIUM

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-10891 HIGH

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1133 MEDIUM

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1134 MEDIUM

An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1135 MEDIUM

An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1136 MEDIUM

An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-1137 MEDIUM

An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-14630 MEDIUM

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-94,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-14631 MEDIUM

moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2018-16854 MEDIUM

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10133 MEDIUM

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10134 MEDIUM

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10154 MEDIUM

A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10186 MEDIUM

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10187 MEDIUM

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10188 MEDIUM

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-10189 MEDIUM

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14827 MEDIUM

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14828 MEDIUM

A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14829 MEDIUM

A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-573,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14830 MEDIUM

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14831 MEDIUM

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14879 MEDIUM

A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked (where applicable).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,CWE-273,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14880 MEDIUM

A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14881 MEDIUM

A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14882 MEDIUM

A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14883 MEDIUM

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-14884 MEDIUM

A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-18210 LOW

Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3808 MEDIUM

A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.6.0
moodle moodle 3.6.1
CVE-2019-3809 HIGH

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-352,CWE-918,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3810 MEDIUM

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3847 LOW

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3848 MEDIUM

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3849 MEDIUM

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,CWE-269,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3850 MEDIUM

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-3851 MEDIUM

A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora -
CVE-2019-3852 MEDIUM

A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2019-6970 MEDIUM

Moodle 3.5.x before 3.5.4 allows SSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-10738 MEDIUM

A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-14320

In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
CVE-2020-14321

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
CVE-2020-14322

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
CVE-2020-1691

In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle 3.8.0
CVE-2020-1692 MEDIUM

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-1754

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.8.1
moodle moodle 3.8.0
CVE-2020-1755

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-1756

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25627 MEDIUM

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25628 MEDIUM

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25629 MEDIUM

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25630 MEDIUM

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25631 MEDIUM

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2020-25698 MEDIUM

Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2020-25699 MEDIUM

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2020-25700 MEDIUM

In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2020-25701 MEDIUM

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-863,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2020-25702 MEDIUM

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2020-25703 MEDIUM

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-201,CWE-200,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 32
CVE-2021-20183 MEDIUM

It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-20184 MEDIUM

It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-354,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-20185 MEDIUM

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-770,

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.10.0
CVE-2021-20186 LOW

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-20187 MEDIUM

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-829,

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.10.0
CVE-2021-20279 LOW

The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 34
fedoraproject fedora 32
CVE-2021-20280 LOW

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
fedoraproject fedora 33
moodle moodle *
fedoraproject fedora 34
fedoraproject fedora 32
CVE-2021-20281 MEDIUM

It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-863,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 34
fedoraproject fedora 32
CVE-2021-20282 MEDIUM

When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 34
fedoraproject fedora 32
CVE-2021-20283 MEDIUM

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 34
fedoraproject fedora 32
CVE-2021-21809 HIGH

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
moodle moodle 3.10.0
CVE-2021-27131

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

Products Affected

Vendor Product Version
moodle moodle 3.10.1
CVE-2021-32244 LOW

Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
moodle moodle 3.10.3
CVE-2021-32472 LOW

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected.

CVSS 2.0

Severity: LOW

Problem Type: CWE-862,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32473 MEDIUM

It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32474 MEDIUM

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32475 LOW

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-78,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32476 MEDIUM

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,CWE-770,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32477 MEDIUM

The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-862,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-32478 MEDIUM

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,CWE-601,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36392

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36393

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36394

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36395

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36396

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36397

In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36398

In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle 3.11.0
CVE-2021-36399

In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle 3.11.0
CVE-2021-36400

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36401

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36402

In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36403

In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-36568

In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle 3.10.4
moodle moodle 3.9.7
fedoraproject fedora 35
moodle moodle 3.11.0
CVE-2021-3943 HIGH

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-40691

A session hijack risk was identified in the Shibboleth authentication plugin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-40692

Insufficient capability checks made it possible for teachers to download users outside of their courses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-40693

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-40694

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-40695

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2021-43558 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 35
CVE-2021-43559 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 35
CVE-2021-43560 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-668,

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 35
CVE-2021-47857

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
moodle moodle 3.10.3
CVE-2022-0332 HIGH

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-0333 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-0334 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-668,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-0335 MEDIUM

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-0983 MEDIUM

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 35
CVE-2022-0984 MEDIUM

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,CWE-863,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 7.0
fedoraproject fedora 34
fedoraproject fedora 35
CVE-2022-0985 MEDIUM

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-863,

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-2986

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-30596 LOW

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
fedoraproject fedora 34
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-30597 MEDIUM

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-472,NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
fedoraproject fedora 34
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-30598 MEDIUM

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
fedoraproject fedora 34
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-30599 HIGH

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
fedoraproject fedora 34
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-30600 HIGH

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-682,CWE-682,

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
fedoraproject fedora 34
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-35649

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 35
CVE-2022-35650

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 35
CVE-2022-35651

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
moodle moodle 4.0.1
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-35652

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 35
CVE-2022-35653

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
redhat enterprise_linux 8.0
moodle moodle 4.0.1
moodle moodle 4.0.0
fedoraproject fedora 35
CVE-2022-39183

Moodle Plugin - SAML Auth may allow Open Redirect through unspecified vectors.

Products Affected

Vendor Product Version
moodle saml_authentication -
CVE-2022-40208

In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2022-40313

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 8.0
fedoraproject fedora 35
CVE-2022-40314

A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2022-40315

A limited SQL injection risk was identified in the "browse list of users" site administration page.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 8.0
fedoraproject fedora 35
CVE-2022-40316

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 8.0
fedoraproject fedora 35
CVE-2022-45149

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject fedora 35
CVE-2022-45150

A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user's browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject fedora 35
CVE-2022-45151

The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject fedora 35
CVE-2022-45152

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 35
CVE-2023-1402

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-23921

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.1.0
CVE-2023-23922

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.1.0
CVE-2023-23923

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.1.0
CVE-2023-28329

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-28330

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-28331

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-28332

If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-28333

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-28334

Authenticated users were able to enumerate other users' names via the learning plans page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
CVE-2023-28335

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle 4.1.0
moodle moodle 4.1.1
CVE-2023-28336

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
moodle moodle 3.9.0
moodle moodle 4.1.0
moodle moodle 4.1.1
moodle moodle 4.0.0
moodle moodle 3.11.0
CVE-2023-30943

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-30944

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.

Products Affected

Vendor Product Version
fedoraproject fedora 36
moodle moodle *
fedoraproject fedora 37
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-35131

Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.2.0
CVE-2023-35132

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.2.0
CVE-2023-35133

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.2.0
CVE-2023-46858

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle 4.3.0
CVE-2023-5539

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5540

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
patrick@puiterwijk.org 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5541

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2023-5542

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
moodle moodle 4.2.2
CVE-2023-5543

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5544

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle *
redhat enterprise_linux 7.0
fedoraproject fedora 37
fedoraproject fedora 38
fedoraproject fedora 39
CVE-2023-5545

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5546

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
redhat enterprise_linux 7.0
fedoraproject fedora 37
fedoraproject fedora 38
fedoraproject fedora 39
CVE-2023-5547

The course upload preview contained an XSS risk for users uploading unsafe data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 1.8 1.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
moodle moodle *
redhat enterprise_linux 7.0
fedoraproject fedora 37
fedoraproject fedora 38
fedoraproject fedora 39
CVE-2023-5548

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5549

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 1.8 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5550

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2023-5551

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
patrick@puiterwijk.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject extra_packages_for_enterprise_linux 7.0
fedoraproject fedora 38
CVE-2024-1439

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-25978

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-25979

The URL parameters accepted by forum search were not limited to the allowed parameters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-25980

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-25981

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-25982

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-25983

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 2.1 1.4

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 38
CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."

Products Affected

Vendor Product Version
moodle moodle 4.3.3
CVE-2024-29374

A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.

Products Affected

Vendor Product Version
moodle moodle 3.10.9
CVE-2024-33996

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-33997

Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-33998

Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-33999

The referrer URL used by MFA required additional sanitizing, rather than being used directly.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34000

ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34001

Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34002

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34003

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34004

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34005

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34006

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34007

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34008

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34009

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-34312

Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.

Products Affected

Vendor Product Version
moodle virtual_programming_lab *
CVE-2024-37674

Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.

Products Affected

Vendor Product Version
moodle moodle 3.10.0
CVE-2024-38273

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 40
moodle moodle 4.4.0
fedoraproject fedora 39
CVE-2024-38274

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 40
moodle moodle 4.4.0
fedoraproject fedora 39
CVE-2024-38275

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 4.4.0
CVE-2024-38276

Incorrect CSRF token checks resulted in multiple CSRF risks.

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 40
moodle moodle 4.4.0
fedoraproject fedora 39
CVE-2024-38277

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Products Affected

Vendor Product Version
moodle moodle *
fedoraproject fedora 40
moodle moodle 4.4.0
fedoraproject fedora 39
CVE-2024-43425

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43426

A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43427

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43428

To address a cache poisoning risk in Moodle, additional validation for local storage was required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 2.5 5.2

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43429

A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43430

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43431

A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43432

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43433

A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43434

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43435

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43436

A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43437

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43438

A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43439

A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-43440

A flaw was found in moodle. A local file may include risks when restoring block backups.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-45689

A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-45690

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-45691

A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48896

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48897

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48898

A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48899

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48900

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Products Affected

Vendor Product Version
moodle moodle *
CVE-2024-48901

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26525

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3.9 4.0

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26526

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26527

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26528

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.4 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26529

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26530

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.3 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26531

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26532

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-26533

An SQL injection risk was identified in the module list filter within course search.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-32044

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-32045

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3625

A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3627

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3628

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3634

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3635

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 2.1 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3636

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3637

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3638

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3640

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3641

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3642

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3643

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3644

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3645

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-3647

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-53021

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 1.6 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62393

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62394

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62395

A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62396

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62397

The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62398

A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62399

Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62400

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-62401

An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
CVE-2025-67847

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67848

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67849

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67850

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67851

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L 1.3 4.7

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67852

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67853

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67855

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67856

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2025-67857

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
moodle moodle *
moodle moodle 5.1.0
CVE-2026-26045

A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2026-26046

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
moodle moodle *
CVE-2026-26047

A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
patrick@puiterwijk.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
moodle moodle *