Moodle

Source repositories

https://github.com/moodle/moodle

CVEs (570)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-2641	Moodle Moodle	Cri	0.68	9.8	0.15	Mar 26, 2017	In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVE-2025-60507	Moodle Moodle	Hig	0.58	8.9	0.00	Oct 21, 2025	Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users…
CVE-2016-9187	Moodle Moodle	Hig	0.58	8.8	0.04	Nov 4, 2016	Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
CVE-2016-9186	Moodle Moodle	Hig	0.58	8.8	0.04	Nov 4, 2016	Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
CVE-2016-3734	Moodle Moodle	Hig	0.50	8.8	0.01	Apr 20, 2017	Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.
CVE-2016-2157	Moodle Moodle	Hig	0.50	8.8	0.01	May 22, 2016	Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests…
CVE-2015-5338	Moodle Moodle	Hig	0.50	8.8	0.01	Feb 22, 2016	Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)…
CVE-2016-7919	Moodle Moodle	Hig	0.49	7.5	0.02	Oct 28, 2016	Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting…
CVE-2016-7038	Moodle Moodle	Hig	0.48	7.3	0.01	Jan 20, 2017	In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
CVE-2015-5332	Moodle Moodle	Med	0.44	6.8	0.02	Feb 22, 2016	Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
CVE-2017-2642	Moodle Moodle	Med	0.42	6.5	0.01	Jul 17, 2017	Moodle 3.x has user fullname disclosure on the user preferences page.
CVE-2016-3729	Moodle Moodle	Med	0.42	6.5	0.01	Apr 20, 2017	The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
CVE-2015-5267	Moodle Moodle	Hig	0.42	7.5	0.02	Feb 22, 2016	lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict…
CVE-2017-7489	Moodle Moodle	Med	0.41	6.3	0.01	May 15, 2017	In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVE-2015-3272	Moodle Moodle	Hig	0.41	7.4	0.02	Feb 22, 2016	Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors…
CVE-2022-50943	Moodle Moodle	Med	0.40	6.1	0.00	May 10, 2026	Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary…
CVE-2017-2645	Moodle Moodle	Med	0.40	6.1	0.01	Mar 26, 2017	In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
CVE-2017-5945	Moodle Moodle	Med	0.40	6.1	0.01	Feb 10, 2017	An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazi…
CVE-2017-2578	Moodle Moodle	Med	0.40	6.1	0.01	Jan 20, 2017	In Moodle 3.x, there is XSS in the assignment submission page.
CVE-2016-9188	Moodle Moodle	Med	0.40	6.1	0.02	Nov 4, 2016	Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.

CVE-2017-2641CriMar 26, 2017
Moodle
Moodle
risk 0.68cvss 9.8epss 0.15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVE-2025-60507HigOct 21, 2025
Moodle
Moodle
risk 0.58cvss 8.9epss 0.00
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users…
CVE-2016-9187HigNov 4, 2016
Moodle
Moodle
risk 0.58cvss 8.8epss 0.04
Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
CVE-2016-9186HigNov 4, 2016
Moodle
Moodle
risk 0.58cvss 8.8epss 0.04
Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
CVE-2016-3734HigApr 20, 2017
Moodle
Moodle
risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.
CVE-2016-2157HigMay 22, 2016
Moodle
Moodle
risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests…
CVE-2015-5338HigFeb 22, 2016
Moodle
Moodle
risk 0.50cvss 8.8epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)…
CVE-2016-7919HigOct 28, 2016
Moodle
Moodle
risk 0.49cvss 7.5epss 0.02
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting…
CVE-2016-7038HigJan 20, 2017
Moodle
Moodle
risk 0.48cvss 7.3epss 0.01
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
CVE-2015-5332MedFeb 22, 2016
Moodle
Moodle
risk 0.44cvss 6.8epss 0.02
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
CVE-2017-2642MedJul 17, 2017
Moodle
Moodle
risk 0.42cvss 6.5epss 0.01
Moodle 3.x has user fullname disclosure on the user preferences page.
CVE-2016-3729MedApr 20, 2017
Moodle
Moodle
risk 0.42cvss 6.5epss 0.01
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
CVE-2015-5267HigFeb 22, 2016
Moodle
Moodle
risk 0.42cvss 7.5epss 0.02
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict…
CVE-2017-7489MedMay 15, 2017
Moodle
Moodle
risk 0.41cvss 6.3epss 0.01
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVE-2015-3272HigFeb 22, 2016
Moodle
Moodle
risk 0.41cvss 7.4epss 0.02
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors…
CVE-2022-50943MedMay 10, 2026
Moodle
Moodle
risk 0.40cvss 6.1epss 0.00
Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary…
CVE-2017-2645MedMar 26, 2017
Moodle
Moodle
risk 0.40cvss 6.1epss 0.01
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
CVE-2017-5945MedFeb 10, 2017
Moodle
Moodle
risk 0.40cvss 6.1epss 0.01
An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazi…
CVE-2017-2578MedJan 20, 2017
Moodle
Moodle
risk 0.40cvss 6.1epss 0.01
In Moodle 3.x, there is XSS in the assignment submission page.
CVE-2016-9188MedNov 4, 2016
Moodle
Moodle
risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.

Page 1 of 29