Moodle
by Moodle
Source repositories
CVEs (570)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36400 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | |||
| CVE-2021-36403 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. | |||
| CVE-2021-36396 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. | |||
| CVE-2021-36401 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. | |||
| CVE-2021-36392 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. | |||
| CVE-2021-36397 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, insufficient capability checks meant message deletions were not limited to the current user. | |||
| CVE-2021-36399 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2021-36395 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | |||
| CVE-2021-36402 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. | |||
| CVE-2023-23921 | 0.00 | — | 0.01 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context… | |||
| CVE-2023-23922 | 0.00 | — | 0.01 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable… | |||
| CVE-2023-23923 | 0.00 | — | 0.01 | Feb 17, 2023 | The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted… | |||
| CVE-2020-36633 | 0.00 | — | 0.00 | Dec 27, 2022 | A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to… | |||
| CVE-2022-45152 | 0.00 | — | 0.01 | Nov 25, 2022 | A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An… | |||
| CVE-2022-45150 | 0.00 | — | 0.01 | Nov 23, 2022 | A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in… | |||
| CVE-2022-45151 | 0.00 | — | 0.01 | Nov 23, 2022 | The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable… | |||
| CVE-2022-45149 | 0.00 | — | 0.00 | Nov 23, 2022 | A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the… | |||
| CVE-2022-40314 | 0.00 | — | 0.02 | Sep 30, 2022 | A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. | |||
| CVE-2021-36568 | 0.00 | — | 0.01 | Sep 13, 2022 | In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects… | |||
| CVE-2020-14320 | 0.00 | — | 0.01 | Aug 16, 2022 | In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk. |
- CVE-2021-36400Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
- CVE-2021-36403Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
- CVE-2021-36396Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
- CVE-2021-36401Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
- CVE-2021-36392Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
- CVE-2021-36397Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
- CVE-2021-36399Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
- CVE-2021-36395Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
- CVE-2021-36402Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
- CVE-2023-23921Feb 17, 2023risk 0.00cvss —epss 0.01
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context…
- CVE-2023-23922Feb 17, 2023risk 0.00cvss —epss 0.01
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable…
- CVE-2023-23923Feb 17, 2023risk 0.00cvss —epss 0.01
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted…
- CVE-2020-36633Dec 27, 2022risk 0.00cvss —epss 0.00
A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to…
- CVE-2022-45152Nov 25, 2022risk 0.00cvss —epss 0.01
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An…
- CVE-2022-45150Nov 23, 2022risk 0.00cvss —epss 0.01
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in…
- CVE-2022-45151Nov 23, 2022risk 0.00cvss —epss 0.01
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable…
- CVE-2022-45149Nov 23, 2022risk 0.00cvss —epss 0.00
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the…
- CVE-2022-40314Sep 30, 2022risk 0.00cvss —epss 0.02
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
- CVE-2021-36568Sep 13, 2022risk 0.00cvss —epss 0.01
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects…
- CVE-2020-14320Aug 16, 2022risk 0.00cvss —epss 0.01
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
Page 12 of 29