Moodle
by Moodle
Source repositories
CVEs (570)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0725 | Med | 0.40 | 6.1 | 0.02 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search… | ||
| CVE-2015-5266 | Med | 0.37 | 6.8 | 0.02 | Feb 22, 2016 | The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing… | ||
| CVE-2025-60506 | Med | 0.35 | 5.4 | 0.00 | Oct 21, 2025 | Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or… | ||
| CVE-2017-7532 | Med | 0.35 | 6.5 | 0.01 | Jul 17, 2017 | In Moodle 3.x, course creators are able to change system default settings for courses. | ||
| CVE-2017-7490 | Med | 0.35 | 5.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. | ||
| CVE-2016-3731 | Med | 0.35 | 5.3 | 0.02 | Apr 20, 2017 | Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. | ||
| CVE-2017-7298 | Med | 0.35 | 5.4 | 0.01 | Mar 29, 2017 | In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. | ||
| CVE-2017-2643 | Med | 0.35 | 5.3 | 0.02 | Mar 26, 2017 | In Moodle 3.2.x, global search displays user names for unauthenticated users. | ||
| CVE-2017-2576 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. | ||
| CVE-2016-8644 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. | ||
| CVE-2016-5012 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 3.x, glossary search displays entries without checking user permissions to view them. | ||
| CVE-2017-12156 | Med | 0.33 | 6.1 | 0.01 | Sep 18, 2017 | Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback. | ||
| CVE-2017-2644 | Med | 0.33 | 6.1 | 0.01 | Mar 26, 2017 | In Moodle 3.x, XSS can occur via evidence of prior learning. | ||
| CVE-2016-2153 | Med | 0.33 | 6.1 | 0.01 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field… | ||
| CVE-2016-2152 | Med | 0.33 | 6.1 | 0.01 | May 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. | ||
| CVE-2015-5337 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. | ||
| CVE-2015-3275 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)… | ||
| CVE-2015-3274 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an… | ||
| CVE-2025-60511 | Med | 0.28 | 4.3 | 0.00 | Oct 21, 2025 | Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's… | ||
| CVE-2017-15110 | Med | 0.28 | 4.3 | 0.01 | Nov 20, 2017 | In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other… |
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search…
- risk 0.37cvss 6.8epss 0.02
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing…
- risk 0.35cvss 5.4epss 0.00
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or…
- risk 0.35cvss 6.5epss 0.01
In Moodle 3.x, course creators are able to change system default settings for courses.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
- risk 0.35cvss 5.3epss 0.02
Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.
- risk 0.35cvss 5.4epss 0.01
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.
- risk 0.35cvss 5.3epss 0.02
In Moodle 3.2.x, global search displays user names for unauthenticated users.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
- risk 0.35cvss 5.3epss 0.01
In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
- risk 0.33cvss 6.1epss 0.01
Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
- risk 0.33cvss 6.1epss 0.01
In Moodle 3.x, XSS can occur via evidence of prior learning.
- risk 0.33cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field…
- risk 0.33cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.
- risk 0.33cvss 6.1epss 0.01
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.
- risk 0.33cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)…
- risk 0.33cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an…
- risk 0.28cvss 4.3epss 0.00
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's…
- risk 0.28cvss 4.3epss 0.01
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other…
Page 2 of 29