VYPR

Bitnami package

moodle

pkg:bitnami/moodle

Vulnerabilities (225)

  • CVE-2021-36398Mar 6, 2023
    affected >= 3.11.0, < 3.11.1fixed 3.11.1

    In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.

  • CVE-2021-36397Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

  • CVE-2021-36396Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

  • CVE-2021-36395Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

  • CVE-2021-36394Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

  • CVE-2021-36393Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

  • CVE-2021-36392Mar 6, 2023
    affected < 3.9.8fixed 3.9.8

    In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

  • CVE-2023-23923Feb 17, 2023
    affected >= 3.9.0, < 3.9.19fixed 3.9.19

    The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality

  • CVE-2023-23922Feb 17, 2023
    affected >= 4.0.0, < 4.0.6fixed 4.0.6

    The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable w

  • CVE-2023-23921Feb 17, 2023
    affected >= 3.9.0, < 3.9.19fixed 3.9.19

    The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context o

  • CVE-2022-45152Nov 25, 2022
    affected < 3.9.18fixed 3.9.18

    A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacke

  • CVE-2022-45151Nov 23, 2022
    affected >= 3.11.0, < 3.11.11fixed 3.11.11

    The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable websit

  • CVE-2022-45150Nov 23, 2022
    affected >= 3.9.0, < 3.9.18fixed 3.9.18

    A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in us

  • CVE-2022-45149Nov 23, 2022
    affected >= 3.9.0, < 3.9.18fixed 3.9.18

    A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the

  • CVE-2022-2986Oct 6, 2022
    affected >= 3.11.0, < 3.11.9fixed 3.11.9

    Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

  • CVE-2022-40316Sep 30, 2022
    affected >= 3.9.0, < 3.9.17fixed 3.9.17

    The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

  • CVE-2022-40315Sep 30, 2022
    affected >= 3.9.0, < 3.9.17fixed 3.9.17

    A limited SQL injection risk was identified in the "browse list of users" site administration page.

  • CVE-2022-40313Sep 30, 2022
    affected >= 3.9.0, < 3.9.17fixed 3.9.17

    Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

  • CVE-2022-40314Sep 30, 2022
    affected >= 3.9.0, < 3.9.17fixed 3.9.17

    A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.

  • CVE-2021-36568Sep 13, 2022
    affected >= 3.9.7, < 3.9.8fixed 3.9.8

    In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodl

Page 8 of 12