VYPR

Moodle

by Moodle

Source repositories

CVEs (570)

  • CVE-2016-0725MedFeb 22, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search…

  • CVE-2015-5266MedFeb 22, 2016
    risk 0.37cvss 6.8epss 0.02

    The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing…

  • CVE-2025-60506MedOct 21, 2025
    risk 0.35cvss 5.4epss 0.00

    Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or…

  • CVE-2017-7532MedJul 17, 2017
    risk 0.35cvss 6.5epss 0.01

    In Moodle 3.x, course creators are able to change system default settings for courses.

  • CVE-2017-7490MedMay 15, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.

  • CVE-2016-3731MedApr 20, 2017
    risk 0.35cvss 5.3epss 0.02

    Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.

  • CVE-2017-7298MedMar 29, 2017
    risk 0.35cvss 5.4epss 0.01

    In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.

  • CVE-2017-2643MedMar 26, 2017
    risk 0.35cvss 5.3epss 0.02

    In Moodle 3.2.x, global search displays user names for unauthenticated users.

  • CVE-2017-2576MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

  • CVE-2016-8644MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

  • CVE-2016-5012MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

  • CVE-2017-12156MedSep 18, 2017
    risk 0.33cvss 6.1epss 0.01

    Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

  • CVE-2017-2644MedMar 26, 2017
    risk 0.33cvss 6.1epss 0.01

    In Moodle 3.x, XSS can occur via evidence of prior learning.

  • CVE-2016-2153MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field…

  • CVE-2016-2152MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.

  • CVE-2015-5337MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

  • CVE-2015-3275MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)…

  • CVE-2015-3274MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an…

  • CVE-2025-60511MedOct 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's…

  • CVE-2017-15110MedNov 20, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other…

Page 2 of 29