VYPR

Bitnami package

moodle

pkg:bitnami/moodle

Vulnerabilities (225)

  • CVE-2024-38274Jun 18, 2024
    affected >= 4.1.0, < 4.1.11fixed 4.1.11

    Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

  • CVE-2024-38273Jun 18, 2024
    affected >= 4.1.0, < 4.1.11fixed 4.1.11

    Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

  • CVE-2024-34009May 31, 2024
    affected >= 4.3.0, < 4.3.4fixed 4.3.4

    Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.

  • CVE-2024-34008May 31, 2024
    affected >= 4.0.0, < 4.3.4fixed 4.3.4

    Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-34007May 31, 2024
    affected >= 4.3.0, < 4.3.4fixed 4.3.4

    The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

  • CVE-2024-34006May 31, 2024
    affected < 4.1.10fixed 4.1.10

    The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

  • CVE-2024-34005May 31, 2024
    affected < 4.1.10fixed 4.1.10

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

  • CVE-2024-34004May 31, 2024
    affected < 4.1.10fixed 4.1.10

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

  • CVE-2024-34003May 31, 2024
    affected < 4.1.10fixed 4.1.10

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

  • CVE-2024-34002May 31, 2024
    affected < 4.1.10fixed 4.1.10

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

  • CVE-2024-34001May 31, 2024
    affected < 4.1.10fixed 4.1.10

    Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-34000May 31, 2024
    affected < 4.1.10fixed 4.1.10

    ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

  • CVE-2024-33999May 31, 2024
    affected >= 4.3.0, < 4.3.4fixed 4.3.4

    The referrer URL used by MFA required additional sanitizing, rather than being used directly.

  • CVE-2024-33998May 31, 2024
    affected < 4.1.10fixed 4.1.10

    Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.

  • CVE-2024-33997May 31, 2024
    affected < 4.1.10fixed 4.1.10

    Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.

  • CVE-2024-33996May 31, 2024
    affected < 4.1.10fixed 4.1.10

    Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

  • CVE-2024-28593Mar 22, 2024
    affected >= 4.3.3, < 4.3.4fixed 4.3.4

    The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things

  • CVE-2024-29374Mar 21, 2024
    affected >= 3.10.9, < 4.1.10fixed 4.1.10

    A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.

  • CVE-2024-25983Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

  • CVE-2024-25982Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

Page 5 of 12