VYPR

Moodle

by Moodle

Source repositories

CVEs (570)

  • CVE-2024-33996May 31, 2024
    risk 0.00cvss epss 0.00

    Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

  • CVE-2024-28593Mar 22, 2024
    risk 0.00cvss epss 0.01

    The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do…

  • CVE-2024-29374Mar 21, 2024
    risk 0.00cvss epss 0.01

    A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.

  • CVE-2024-25983Feb 19, 2024
    risk 0.00cvss epss 0.01

    Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

  • CVE-2024-25982Feb 19, 2024
    risk 0.00cvss epss 0.01

    The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-25981Feb 19, 2024
    risk 0.00cvss epss 0.01

    Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

  • CVE-2024-25980Feb 19, 2024
    risk 0.00cvss epss 0.01

    Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

  • CVE-2024-25979Feb 19, 2024
    risk 0.00cvss epss 0.01

    The URL parameters accepted by forum search were not limited to the allowed parameters.

  • CVE-2024-25978Feb 19, 2024
    risk 0.00cvss epss 0.01

    Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

  • CVE-2023-5543Nov 9, 2023
    risk 0.00cvss epss 0.00

    When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

  • CVE-2023-5551Nov 9, 2023
    risk 0.00cvss epss 0.00

    Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

  • CVE-2023-5550Nov 9, 2023
    risk 0.00cvss epss 0.01

    In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

  • CVE-2023-5549Nov 9, 2023
    risk 0.00cvss epss 0.01

    Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

  • CVE-2023-5548Nov 9, 2023
    risk 0.00cvss epss 0.00

    Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

  • CVE-2023-5547Nov 9, 2023
    risk 0.00cvss epss 0.01

    The course upload preview contained an XSS risk for users uploading unsafe data.

  • CVE-2023-5546Nov 9, 2023
    risk 0.00cvss epss 0.01

    ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

  • CVE-2023-5545Nov 9, 2023
    risk 0.00cvss epss 0.01

    H5P metadata automatically populated the author with the user's username, which could be sensitive information.

  • CVE-2023-5544Nov 9, 2023
    risk 0.00cvss epss 0.01

    Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

  • CVE-2023-5542Nov 9, 2023
    risk 0.00cvss epss 0.00

    Students in "Only see own membership" groups could see other students in the group, which should be hidden.

  • CVE-2023-5541Nov 9, 2023
    risk 0.00cvss epss 0.01

    The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

Page 10 of 29