Filtered by vendor Moodle
Subscribe
Total
526 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32474 | 1 Moodle | 1 Moodle | 2022-03-18 | 6.5 MEDIUM | 7.2 HIGH |
| An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2022-0332 | 1 Moodle | 1 Moodle | 2022-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data. | |||||
| CVE-2019-18210 | 1 Moodle | 1 Moodle | 2021-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." | |||||
| CVE-2019-10134 | 1 Moodle | 1 Moodle | 2021-10-28 | 4.3 MEDIUM | 3.7 LOW |
| A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded. | |||||
| CVE-2013-3630 | 1 Moodle | 1 Moodle | 2021-10-12 | 4.6 MEDIUM | N/A |
| Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. | |||||
| CVE-2021-32244 | 1 Moodle | 1 Moodle | 2021-06-21 | 3.5 LOW | 5.4 MEDIUM |
| Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field. | |||||
| CVE-2019-14827 | 1 Moodle | 1 Moodle | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | |||||
| CVE-2019-14828 | 1 Moodle | 1 Moodle | 2021-03-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | |||||
| CVE-2021-20183 | 1 Moodle | 1 Moodle | 2021-02-01 | 4.3 MEDIUM | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. | |||||
| CVE-2021-20186 | 1 Moodle | 1 Moodle | 2021-02-01 | 2.1 LOW | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. | |||||
| CVE-2021-20184 | 1 Moodle | 1 Moodle | 2021-02-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades. | |||||
| CVE-2020-25627 | 1 Moodle | 1 Moodle | 2020-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2. | |||||
| CVE-2020-25631 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8. | |||||
| CVE-2020-25630 | 1 Moodle | 1 Moodle | 2020-12-08 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-25628 | 1 Moodle | 1 Moodle | 2020-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2016-8644 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. | |||||
| CVE-2016-3729 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator. | |||||
| CVE-2016-2154 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule. | |||||
| CVE-2016-2152 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. | |||||
| CVE-2017-2576 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. | |||||