Bitnami package
moodle
pkg:bitnami/moodle
Vulnerabilities (225)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-38274 | — | >= 4.1.0, < 4.1.11 | 4.1.11 | Jun 18, 2024 | Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. | ||
| CVE-2024-38273 | — | >= 4.1.0, < 4.1.11 | 4.1.11 | Jun 18, 2024 | Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. | ||
| CVE-2024-34009 | — | >= 4.3.0, < 4.3.4 | 4.3.4 | May 31, 2024 | Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. | ||
| CVE-2024-34008 | — | >= 4.0.0, < 4.3.4 | 4.3.4 | May 31, 2024 | Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. | ||
| CVE-2024-34007 | — | >= 4.3.0, < 4.3.4 | 4.3.4 | May 31, 2024 | The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF. | ||
| CVE-2024-34006 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered. | ||
| CVE-2024-34005 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||
| CVE-2024-34004 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||
| CVE-2024-34003 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||
| CVE-2024-34002 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | ||
| CVE-2024-34001 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk. | ||
| CVE-2024-34000 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk. | ||
| CVE-2024-33999 | — | >= 4.3.0, < 4.3.4 | 4.3.4 | May 31, 2024 | The referrer URL used by MFA required additional sanitizing, rather than being used directly. | ||
| CVE-2024-33998 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features. | ||
| CVE-2024-33997 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation. | ||
| CVE-2024-33996 | — | < 4.1.10 | 4.1.10 | May 31, 2024 | Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to. | ||
| CVE-2024-28593 | — | >= 4.3.3, < 4.3.4 | 4.3.4 | Mar 22, 2024 | The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things | ||
| CVE-2024-29374 | — | >= 3.10.9, < 4.1.10 | 4.1.10 | Mar 21, 2024 | A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter. | ||
| CVE-2024-25983 | — | < 4.1.9 | 4.1.9 | Feb 19, 2024 | Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page). | ||
| CVE-2024-25982 | — | < 4.1.9 | 4.1.9 | Feb 19, 2024 | The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. |
- CVE-2024-38274Jun 18, 2024affected >= 4.1.0, < 4.1.11fixed 4.1.11
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
- CVE-2024-38273Jun 18, 2024affected >= 4.1.0, < 4.1.11fixed 4.1.11
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
- CVE-2024-34009May 31, 2024affected >= 4.3.0, < 4.3.4fixed 4.3.4
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
- CVE-2024-34008May 31, 2024affected >= 4.0.0, < 4.3.4fixed 4.3.4
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
- CVE-2024-34007May 31, 2024affected >= 4.3.0, < 4.3.4fixed 4.3.4
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.
- CVE-2024-34006May 31, 2024affected < 4.1.10fixed 4.1.10
The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.
- CVE-2024-34005May 31, 2024affected < 4.1.10fixed 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34004May 31, 2024affected < 4.1.10fixed 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34003May 31, 2024affected < 4.1.10fixed 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34002May 31, 2024affected < 4.1.10fixed 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34001May 31, 2024affected < 4.1.10fixed 4.1.10
Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.
- CVE-2024-34000May 31, 2024affected < 4.1.10fixed 4.1.10
ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.
- CVE-2024-33999May 31, 2024affected >= 4.3.0, < 4.3.4fixed 4.3.4
The referrer URL used by MFA required additional sanitizing, rather than being used directly.
- CVE-2024-33998May 31, 2024affected < 4.1.10fixed 4.1.10
Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.
- CVE-2024-33997May 31, 2024affected < 4.1.10fixed 4.1.10
Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.
- CVE-2024-33996May 31, 2024affected < 4.1.10fixed 4.1.10
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
- CVE-2024-28593Mar 22, 2024affected >= 4.3.3, < 4.3.4fixed 4.3.4
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things
- CVE-2024-29374Mar 21, 2024affected >= 3.10.9, < 4.1.10fixed 4.1.10
A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.
- CVE-2024-25983Feb 19, 2024affected < 4.1.9fixed 4.1.9
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).
- CVE-2024-25982Feb 19, 2024affected < 4.1.9fixed 4.1.9
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.
Page 5 of 12