Total
628 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12156 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
|
|||||
| CVE-2016-8642 | 1 Moodle | 1 Moodle | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
|
|||||
| CVE-2017-7532 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In Moodle 3.x, course creators are able to change system default settings for courses.
|
|||||
| CVE-2017-7489 | 1 Moodle | 1 Moodle | 2025-04-20 | 6.5 MEDIUM | 6.3 MEDIUM |
|
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
|
|||||
| CVE-2017-2641 | 1 Moodle | 1 Moodle | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
|
|||||
| CVE-2016-8643 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
|
|||||
| CVE-2016-3733 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.
|
|||||
| CVE-2017-7298 | 1 Moodle | 1 Moodle | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.
|
|||||
| CVE-2015-3177 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request.
|
|||||
| CVE-2015-5266 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.9 MEDIUM | 6.8 MEDIUM |
|
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.
|
|||||
| CVE-2015-0214 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request.
|
|||||
| CVE-2015-5340 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.
|
|||||
| CVE-2015-2271 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature.
|
|||||
| CVE-2015-3181 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked.
|
|||||
| CVE-2015-3179 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account.
|
|||||
| CVE-2014-7836 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.8 MEDIUM | N/A |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.
|
|||||
| CVE-2014-3544 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
|
|||||
| CVE-2016-2153 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL, as demonstrated by a search form field.
|
|||||
| CVE-2014-7832 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
|
|||||
| CVE-2014-0216 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.0 MEDIUM | N/A |
|
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.
|
|||||
| CVE-2014-3548 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.
|
|||||
| CVE-2015-5339 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.
|
|||||
| CVE-2014-3550 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task.
|
|||||
| CVE-2014-7848 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.0 MEDIUM | N/A |
|
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.
|
|||||
| CVE-2016-7919 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields.
|
|||||
| CVE-2015-2266 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.
|
|||||
| CVE-2015-3175 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.8 MEDIUM | N/A |
|
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header.
|
|||||
| CVE-2015-3272 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.8 MEDIUM | 7.4 HIGH |
|
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.
|
|||||
| CVE-2014-3553 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.9 MEDIUM | N/A |
|
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
|
|||||
| CVE-2015-0212 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary.
|
|||||
| CVE-2014-2571 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question.
|
|||||
| CVE-2015-5337 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.
|
|||||
| CVE-2014-3617 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.
|
|||||
| CVE-2014-0217 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | N/A |
|
enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL.
|
|||||
| CVE-2015-5267 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
|
|||||
| CVE-2015-3174 | 1 Moodle | 1 Moodle | 2025-04-12 | 3.5 LOW | N/A |
|
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading.
|
|||||
| CVE-2015-2268 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.8 MEDIUM | N/A |
|
filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression.
|
|||||
| CVE-2016-2158 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
|
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
|
|||||
| CVE-2014-0122 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.9 MEDIUM | N/A |
|
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator.
|
|||||
| CVE-2014-0213 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.8 MEDIUM | N/A |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests.
|
|||||