Bitnami package
moodle
pkg:bitnami/moodle
Vulnerabilities (225)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-36398 | — | >= 3.11.0, < 3.11.1 | 3.11.1 | Mar 6, 2023 | In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. | ||
| CVE-2021-36397 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, insufficient capability checks meant message deletions were not limited to the current user. | ||
| CVE-2021-36396 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. | ||
| CVE-2021-36395 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | ||
| CVE-2021-36394 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | ||
| CVE-2021-36393 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. | ||
| CVE-2021-36392 | — | < 3.9.8 | 3.9.8 | Mar 6, 2023 | In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. | ||
| CVE-2023-23923 | — | >= 3.9.0, < 3.9.19 | 3.9.19 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality | ||
| CVE-2023-23922 | — | >= 4.0.0, < 4.0.6 | 4.0.6 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable w | ||
| CVE-2023-23921 | — | >= 3.9.0, < 3.9.19 | 3.9.19 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context o | ||
| CVE-2022-45152 | — | < 3.9.18 | 3.9.18 | Nov 25, 2022 | A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacke | ||
| CVE-2022-45151 | — | >= 3.11.0, < 3.11.11 | 3.11.11 | Nov 23, 2022 | The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable websit | ||
| CVE-2022-45150 | — | >= 3.9.0, < 3.9.18 | 3.9.18 | Nov 23, 2022 | A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in us | ||
| CVE-2022-45149 | — | >= 3.9.0, < 3.9.18 | 3.9.18 | Nov 23, 2022 | A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the | ||
| CVE-2022-2986 | — | >= 3.11.0, < 3.11.9 | 3.11.9 | Oct 6, 2022 | Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | ||
| CVE-2022-40316 | — | >= 3.9.0, < 3.9.17 | 3.9.17 | Sep 30, 2022 | The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. | ||
| CVE-2022-40315 | — | >= 3.9.0, < 3.9.17 | 3.9.17 | Sep 30, 2022 | A limited SQL injection risk was identified in the "browse list of users" site administration page. | ||
| CVE-2022-40313 | — | >= 3.9.0, < 3.9.17 | 3.9.17 | Sep 30, 2022 | Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load. | ||
| CVE-2022-40314 | — | >= 3.9.0, < 3.9.17 | 3.9.17 | Sep 30, 2022 | A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. | ||
| CVE-2021-36568 | — | >= 3.9.7, < 3.9.8 | 3.9.8 | Sep 13, 2022 | In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodl |
- CVE-2021-36398Mar 6, 2023affected >= 3.11.0, < 3.11.1fixed 3.11.1
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
- CVE-2021-36397Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
- CVE-2021-36396Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
- CVE-2021-36395Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
- CVE-2021-36394Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
- CVE-2021-36393Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
- CVE-2021-36392Mar 6, 2023affected < 3.9.8fixed 3.9.8
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
- CVE-2023-23923Feb 17, 2023affected >= 3.9.0, < 3.9.19fixed 3.9.19
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality
- CVE-2023-23922Feb 17, 2023affected >= 4.0.0, < 4.0.6fixed 4.0.6
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable w
- CVE-2023-23921Feb 17, 2023affected >= 3.9.0, < 3.9.19fixed 3.9.19
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context o
- CVE-2022-45152Nov 25, 2022affected < 3.9.18fixed 3.9.18
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacke
- CVE-2022-45151Nov 23, 2022affected >= 3.11.0, < 3.11.11fixed 3.11.11
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable websit
- CVE-2022-45150Nov 23, 2022affected >= 3.9.0, < 3.9.18fixed 3.9.18
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in us
- CVE-2022-45149Nov 23, 2022affected >= 3.9.0, < 3.9.18fixed 3.9.18
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the
- CVE-2022-2986Oct 6, 2022affected >= 3.11.0, < 3.11.9fixed 3.11.9
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
- CVE-2022-40316Sep 30, 2022affected >= 3.9.0, < 3.9.17fixed 3.9.17
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
- CVE-2022-40315Sep 30, 2022affected >= 3.9.0, < 3.9.17fixed 3.9.17
A limited SQL injection risk was identified in the "browse list of users" site administration page.
- CVE-2022-40313Sep 30, 2022affected >= 3.9.0, < 3.9.17fixed 3.9.17
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
- CVE-2022-40314Sep 30, 2022affected >= 3.9.0, < 3.9.17fixed 3.9.17
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
- CVE-2021-36568Sep 13, 2022affected >= 3.9.7, < 3.9.8fixed 3.9.8
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodl
Page 8 of 12