VYPR

Bitnami package

moodle

pkg:bitnami/moodle

Vulnerabilities (225)

  • CVE-2020-14320Aug 16, 2022
    affected >= 3.7.0, < 3.7.7fixed 3.7.7

    In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.

  • CVE-2020-1756Aug 16, 2022
    affected >= 3.5.0, < 3.5.11fixed 3.5.11

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

  • CVE-2020-1755Aug 16, 2022
    affected >= 3.5.0, < 3.5.11fixed 3.5.11

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

  • CVE-2020-14322Aug 16, 2022
    affected >= 3.5.0, < 3.5.13fixed 3.5.13

    In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.

  • CVE-2020-14321Aug 16, 2022
    affected >= 3.5.0, < 3.5.13fixed 3.5.13

    In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

  • CVE-2020-1754Aug 5, 2022
    affected >= 3.5.0, < 3.5.11fixed 3.5.11

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.

  • CVE-2020-1691Aug 5, 2022
    affected >= 3.8.0, < 3.8.1fixed 3.8.1

    In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

  • CVE-2022-35653Jul 25, 2022
    affected >= 3.9.0, < 3.9.15fixed 3.9.15

    A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script cod

  • CVE-2022-35652Jul 25, 2022
    affected >= 3.9.0, < 3.9.15fixed 3.9.15

    An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exp

  • CVE-2022-35651Jul 25, 2022
    affected >= 3.9.0, < 3.9.15fixed 3.9.15

    A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's

  • CVE-2022-35650Jul 25, 2022
    affected >= 3.9.0, < 3.9.15fixed 3.9.15

    The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to ac

  • CVE-2022-35649Jul 25, 2022
    affected >= 3.9.0, < 3.9.15fixed 3.9.15

    The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerabilit

  • CVE-2022-30600May 18, 2022
    affected >= 3.9.0, < 3.9.14fixed 3.9.14

    A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

  • CVE-2022-30599May 18, 2022
    affected >= 3.9.0, < 3.9.14fixed 3.9.14

    A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

  • CVE-2022-30598May 18, 2022
    affected >= 3.9.0, < 3.9.14fixed 3.9.14

    A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

  • CVE-2022-30597May 18, 2022
    affected >= 3.9.0, < 3.9.14fixed 3.9.14

    A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

  • CVE-2022-30596May 18, 2022
    affected >= 3.9.0, < 3.9.14fixed 3.9.14

    A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

  • CVE-2022-0984Apr 29, 2022
    affected >= 3.9.0, < 3.9.13fixed 3.9.13

    Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

  • CVE-2022-0985Apr 29, 2022
    affected < 3.9.13fixed 3.9.13

    Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

  • CVE-2022-0983Mar 25, 2022
    affected >= 3.9.0, < 3.9.13fixed 3.9.13

    An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Page 9 of 12