VYPR

Bitnami package

moodle

pkg:bitnami/moodle

Vulnerabilities (225)

  • CVE-2024-25981Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

  • CVE-2024-25980Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

  • CVE-2024-25979Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    The URL parameters accepted by forum search were not limited to the allowed parameters.

  • CVE-2024-25978Feb 19, 2024
    affected < 4.1.9fixed 4.1.9

    Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

  • CVE-2024-1439Feb 12, 2024
    affected < 4.3.4fixed 4.3.4

    Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

  • CVE-2023-5543Nov 9, 2023
    affected >= 4.0.0, < 4.0.11fixed 4.0.11

    When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

  • CVE-2023-5551Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

  • CVE-2023-5550Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

  • CVE-2023-5549Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

  • CVE-2023-5548Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

  • CVE-2023-5547Nov 9, 2023
    affected >= 3.9.0, < 3.9.24fixed 3.9.24

    The course upload preview contained an XSS risk for users uploading unsafe data.

  • CVE-2023-5546Nov 9, 2023
    affected >= 4.0.0, < 4.0.11fixed 4.0.11

    ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

  • CVE-2023-5545Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    H5P metadata automatically populated the author with the user's username, which could be sensitive information.

  • CVE-2023-5544Nov 9, 2023
    affected >= 3.9.0, < 3.9.24fixed 3.9.24

    Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

  • CVE-2023-5542Nov 9, 2023
    affected >= 4.2.2, < 4.2.3fixed 4.2.3

    Students in "Only see own membership" groups could see other students in the group, which should be hidden.

  • CVE-2023-5541Nov 9, 2023
    affected >= 3.9.0, < 3.9.24fixed 3.9.24

    The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

  • CVE-2023-5540Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

  • CVE-2023-5539Nov 9, 2023
    affected < 3.9.24fixed 3.9.24

    A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

  • CVE-2023-46858Oct 29, 2023
    affected >= 4.3.0, < 4.3.1fixed 4.3.1

    Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but

  • CVE-2023-35133Jun 22, 2023
    affected < 3.9.22fixed 3.9.22

    An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Page 6 of 12