Filtered by vendor Moodle
Subscribe
Total
526 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3810 | 1 Moodle | 1 Moodle | 2022-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. | |||||
| CVE-2021-20185 | 1 Moodle | 1 Moodle | 2022-10-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |||||
| CVE-2021-20187 | 1 Moodle | 1 Moodle | 2022-10-21 | 6.5 MEDIUM | 7.2 HIGH |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
| CVE-2020-25629 | 1 Moodle | 1 Moodle | 2022-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2021-40692 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| Insufficient capability checks made it possible for teachers to download users outside of their courses. | |||||
| CVE-2021-40693 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 6.5 MEDIUM |
| An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability. | |||||
| CVE-2021-40694 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.9 MEDIUM |
| Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. | |||||
| CVE-2021-40695 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| It was possible for a student to view their quiz grade before it had been released, using a quiz web service. | |||||
| CVE-2021-40691 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| A session hijack risk was identified in the Shibboleth authentication plugin. | |||||
| CVE-2021-21809 | 1 Moodle | 1 Moodle | 2022-08-24 | 9.0 HIGH | 9.1 CRITICAL |
| A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities. | |||||
| CVE-2020-1756 | 1 Moodle | 1 Moodle | 2022-08-17 | N/A | 7.2 HIGH |
| In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool. | |||||
| CVE-2020-1755 | 1 Moodle | 1 Moodle | 2022-08-17 | N/A | 5.3 MEDIUM |
| In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks. | |||||
| CVE-2020-14320 | 1 Moodle | 1 Moodle | 2022-08-17 | N/A | 6.1 MEDIUM |
| In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk. | |||||
| CVE-2020-1754 | 1 Moodle | 1 Moodle | 2022-08-07 | N/A | 4.3 MEDIUM |
| In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups. | |||||
| CVE-2020-1691 | 1 Moodle | 1 Moodle | 2022-08-07 | N/A | 5.4 MEDIUM |
| In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting. | |||||
| CVE-2021-32477 | 1 Moodle | 1 Moodle | 2022-07-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. | |||||
| CVE-2022-0984 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2022-05-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | |||||
| CVE-2013-4341 | 1 Moodle | 1 Moodle | 2022-05-01 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. | |||||
| CVE-2021-32475 | 1 Moodle | 1 Moodle | 2022-03-18 | 3.5 LOW | 5.4 MEDIUM |
| ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2021-32473 | 1 Moodle | 1 Moodle | 2022-03-18 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected | |||||