Bitnami package
moodle
pkg:bitnami/moodle
Vulnerabilities (225)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-14320 | — | >= 3.7.0, < 3.7.7 | 3.7.7 | Aug 16, 2022 | In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk. | ||
| CVE-2020-1756 | — | >= 3.5.0, < 3.5.11 | 3.5.11 | Aug 16, 2022 | In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool. | ||
| CVE-2020-1755 | — | >= 3.5.0, < 3.5.11 | 3.5.11 | Aug 16, 2022 | In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks. | ||
| CVE-2020-14322 | — | >= 3.5.0, < 3.5.13 | 3.5.13 | Aug 16, 2022 | In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. | ||
| CVE-2020-14321 | — | >= 3.5.0, < 3.5.13 | 3.5.13 | Aug 16, 2022 | In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. | ||
| CVE-2020-1754 | — | >= 3.5.0, < 3.5.11 | 3.5.11 | Aug 5, 2022 | In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups. | ||
| CVE-2020-1691 | — | >= 3.8.0, < 3.8.1 | 3.8.1 | Aug 5, 2022 | In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting. | ||
| CVE-2022-35653 | — | >= 3.9.0, < 3.9.15 | 3.9.15 | Jul 25, 2022 | A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script cod | ||
| CVE-2022-35652 | — | >= 3.9.0, < 3.9.15 | 3.9.15 | Jul 25, 2022 | An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exp | ||
| CVE-2022-35651 | — | >= 3.9.0, < 3.9.15 | 3.9.15 | Jul 25, 2022 | A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's | ||
| CVE-2022-35650 | — | >= 3.9.0, < 3.9.15 | 3.9.15 | Jul 25, 2022 | The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to ac | ||
| CVE-2022-35649 | — | >= 3.9.0, < 3.9.15 | 3.9.15 | Jul 25, 2022 | The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerabilit | ||
| CVE-2022-30600 | — | >= 3.9.0, < 3.9.14 | 3.9.14 | May 18, 2022 | A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed. | ||
| CVE-2022-30599 | — | >= 3.9.0, < 3.9.14 | 3.9.14 | May 18, 2022 | A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria. | ||
| CVE-2022-30598 | — | >= 3.9.0, < 3.9.14 | 3.9.14 | May 18, 2022 | A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it. | ||
| CVE-2022-30597 | — | >= 3.9.0, < 3.9.14 | 3.9.14 | May 18, 2022 | A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. | ||
| CVE-2022-30596 | — | >= 3.9.0, < 3.9.14 | 3.9.14 | May 18, 2022 | A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. | ||
| CVE-2022-0984 | — | >= 3.9.0, < 3.9.13 | 3.9.13 | Apr 29, 2022 | Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | ||
| CVE-2022-0985 | — | < 3.9.13 | 3.9.13 | Apr 29, 2022 | Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | ||
| CVE-2022-0983 | — | >= 3.9.0, < 3.9.13 | 3.9.13 | Mar 25, 2022 | An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. |
- CVE-2020-14320Aug 16, 2022affected >= 3.7.0, < 3.7.7fixed 3.7.7
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
- CVE-2020-1756Aug 16, 2022affected >= 3.5.0, < 3.5.11fixed 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
- CVE-2020-1755Aug 16, 2022affected >= 3.5.0, < 3.5.11fixed 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
- CVE-2020-14322Aug 16, 2022affected >= 3.5.0, < 3.5.13fixed 3.5.13
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
- CVE-2020-14321Aug 16, 2022affected >= 3.5.0, < 3.5.13fixed 3.5.13
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
- CVE-2020-1754Aug 5, 2022affected >= 3.5.0, < 3.5.11fixed 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
- CVE-2020-1691Aug 5, 2022affected >= 3.8.0, < 3.8.1fixed 3.8.1
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.
- CVE-2022-35653Jul 25, 2022affected >= 3.9.0, < 3.9.15fixed 3.9.15
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script cod
- CVE-2022-35652Jul 25, 2022affected >= 3.9.0, < 3.9.15fixed 3.9.15
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exp
- CVE-2022-35651Jul 25, 2022affected >= 3.9.0, < 3.9.15fixed 3.9.15
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's
- CVE-2022-35650Jul 25, 2022affected >= 3.9.0, < 3.9.15fixed 3.9.15
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to ac
- CVE-2022-35649Jul 25, 2022affected >= 3.9.0, < 3.9.15fixed 3.9.15
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerabilit
- CVE-2022-30600May 18, 2022affected >= 3.9.0, < 3.9.14fixed 3.9.14
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
- CVE-2022-30599May 18, 2022affected >= 3.9.0, < 3.9.14fixed 3.9.14
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
- CVE-2022-30598May 18, 2022affected >= 3.9.0, < 3.9.14fixed 3.9.14
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
- CVE-2022-30597May 18, 2022affected >= 3.9.0, < 3.9.14fixed 3.9.14
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
- CVE-2022-30596May 18, 2022affected >= 3.9.0, < 3.9.14fixed 3.9.14
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
- CVE-2022-0984Apr 29, 2022affected >= 3.9.0, < 3.9.13fixed 3.9.13
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
- CVE-2022-0985Apr 29, 2022affected < 3.9.13fixed 3.9.13
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
- CVE-2022-0983Mar 25, 2022affected >= 3.9.0, < 3.9.13fixed 3.9.13
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
Page 9 of 12