Bitnami package
moodle
pkg:bitnami/moodle
Vulnerabilities (225)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21809 | Cri | 9.1 | >= 3.10.0, < 3.10.1 | 3.10.1 | Jun 23, 2021 | A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities. | |
| CVE-2021-32244 | Med | 5.4 | >= 3.10.3, < 3.10.4 | 3.10.4 | Jun 16, 2021 | Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field. | |
| CVE-2021-20283 | Med | 4.3 | >= 3.5.0, < 3.5.17 | 3.5.17 | Mar 15, 2021 | The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |
| CVE-2021-20282 | Med | 5.3 | >= 3.5.0, < 3.5.17 | 3.5.17 | Mar 15, 2021 | When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |
| CVE-2021-20281 | Med | 5.3 | >= 3.5.0, < 3.5.17 | 3.5.17 | Mar 15, 2021 | It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |
| CVE-2021-20280 | Med | 5.4 | >= 3.5.0, < 3.5.17 | 3.5.17 | Mar 15, 2021 | Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |
| CVE-2021-20279 | Med | 5.4 | >= 3.5.0, < 3.5.17 | 3.5.17 | Mar 15, 2021 | The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |
| CVE-2021-20185 | Med | 5.3 | >= 3.5.0, < 3.5.16 | 3.5.16 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |
| CVE-2021-20187 | Hig | 7.2 | < 3.5.16 | 3.5.16 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |
| CVE-2021-20186 | Med | 5.4 | < 3.5.16 | 3.5.16 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. | |
| CVE-2021-20184 | Med | 4.3 | < 3.8.7 | 3.8.7 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades. | |
| CVE-2021-20183 | Med | 5.4 | < 3.10.1 | 3.10.1 | Jan 28, 2021 | It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. | |
| CVE-2020-25627 | Med | 6.1 | >= 3.9.0, < 3.9.2 | 3.9.2 | Dec 9, 2020 | The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2. | |
| CVE-2020-25631 | Med | 6.1 | >= 3.7.0, < 3.7.8 | 3.7.8 | Dec 8, 2020 | A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8. | |
| CVE-2020-25630 | Hig | 7.5 | >= 3.5.0, < 3.5.14 | 3.5.14 | Dec 8, 2020 | A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier | |
| CVE-2020-25629 | Hig | 8.8 | >= 3.5.0, < 3.5.14 | 3.5.14 | Dec 8, 2020 | A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to | |
| CVE-2020-25628 | Med | 6.1 | >= 3.5.0, < 3.5.14 | 3.5.14 | Dec 8, 2020 | The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |
| CVE-2020-25703 | Med | 5.3 | >= 3.7.0, < 3.7.9 | 3.7.9 | Nov 19, 2020 | The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10. | |
| CVE-2020-25702 | Med | 6.1 | >= 3.9.0, < 3.9.3 | 3.9.3 | Nov 19, 2020 | In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. | |
| CVE-2020-25701 | Med | 5.3 | >= 3.5.0, < 3.5.15 | 3.5.15 | Nov 19, 2020 | If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, |
- affected >= 3.10.0, < 3.10.1fixed 3.10.1
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
- affected >= 3.10.3, < 3.10.4fixed 3.10.4
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
- affected >= 3.5.0, < 3.5.17fixed 3.5.17
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- affected >= 3.5.0, < 3.5.17fixed 3.5.17
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- affected >= 3.5.0, < 3.5.17fixed 3.5.17
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- affected >= 3.5.0, < 3.5.17fixed 3.5.17
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- affected >= 3.5.0, < 3.5.17fixed 3.5.17
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
- affected >= 3.5.0, < 3.5.16fixed 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
- affected < 3.5.16fixed 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
- affected < 3.5.16fixed 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.
- affected < 3.8.7fixed 3.8.7
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
- affected < 3.10.1fixed 3.10.1
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
- affected >= 3.9.0, < 3.9.2fixed 3.9.2
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
- affected >= 3.7.0, < 3.7.8fixed 3.7.8
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.
- affected >= 3.5.0, < 3.5.14fixed 3.5.14
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier
- affected >= 3.5.0, < 3.5.14fixed 3.5.14
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to
- affected >= 3.5.0, < 3.5.14fixed 3.5.14
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
- affected >= 3.7.0, < 3.7.9fixed 3.7.9
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
- affected >= 3.9.0, < 3.9.3fixed 3.9.3
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.
- affected >= 3.5.0, < 3.5.15fixed 3.5.15
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2,
Page 11 of 12