VYPR

Moodle

by Moodle

Source repositories

CVEs (570)

  • CVE-2020-1756Aug 16, 2022
    risk 0.00cvss epss 0.01

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

  • CVE-2020-1755Aug 16, 2022
    risk 0.00cvss epss 0.00

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

  • CVE-2020-14321Aug 16, 2022
    risk 0.00cvss epss 0.16

    In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

  • CVE-2020-14322Aug 16, 2022
    risk 0.00cvss epss 0.01

    In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.

  • CVE-2020-1754Aug 5, 2022
    risk 0.00cvss epss 0.01

    In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.

  • CVE-2020-1691Aug 5, 2022
    risk 0.00cvss epss 0.01

    In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

  • CVE-2022-35652Jul 25, 2022
    risk 0.00cvss epss 0.01

    An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful…

  • CVE-2022-35651Jul 25, 2022
    risk 0.00cvss epss 0.01

    A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's…

  • CVE-2022-30600May 18, 2022
    risk 0.00cvss epss 0.05

    A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

  • CVE-2022-30599May 18, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

  • CVE-2022-30598May 18, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

  • CVE-2022-30597May 18, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

  • CVE-2022-30596May 18, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

  • CVE-2022-28601May 10, 2022
    risk 0.00cvss epss 0.02

    A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.

  • CVE-2022-0985Apr 29, 2022
    risk 0.00cvss epss 0.01

    Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

  • CVE-2021-32474Mar 11, 2022
    risk 0.00cvss epss 0.01

    An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier…

  • CVE-2021-32473Mar 11, 2022
    risk 0.00cvss epss 0.01

    It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected

  • CVE-2021-32475Mar 11, 2022
    risk 0.00cvss epss 0.01

    ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

  • CVE-2021-32477Mar 11, 2022
    risk 0.00cvss epss 0.01

    The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.

  • CVE-2021-32478Mar 11, 2022
    risk 0.00cvss epss 0.01

    The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

Page 13 of 29