Moodle
by Moodle
Source repositories
CVEs (570)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7491 | Med | 0.28 | 4.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. | ||
| CVE-2016-3732 | Med | 0.28 | 4.3 | 0.01 | Apr 20, 2017 | The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | ||
| CVE-2016-8643 | Med | 0.28 | 4.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services. | ||
| CVE-2016-8642 | Med | 0.28 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. | ||
| CVE-2016-5014 | Med | 0.28 | 5.4 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. | ||
| CVE-2016-5013 | Med | 0.28 | 5.4 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | ||
| CVE-2016-2190 | Med | 0.28 | 5.3 | 0.02 | May 22, 2016 | Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. | ||
| CVE-2015-5336 | Med | 0.28 | 5.4 | 0.01 | Feb 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering… | ||
| CVE-2015-5272 | Med | 0.28 | 4.3 | 0.01 | Feb 22, 2016 | The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants." | ||
| CVE-2015-5269 | Med | 0.28 | 5.4 | 0.01 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description. | ||
| CVE-2015-5264 | Med | 0.28 | 5.4 | 0.01 | Feb 22, 2016 | The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role. | ||
| CVE-2015-3273 | Med | 0.28 | 4.3 | 0.01 | Feb 22, 2016 | mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group… | ||
| CVE-2017-12157 | Med | 0.21 | 4.3 | 0.01 | Sep 18, 2017 | In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access. | ||
| CVE-2017-7531 | Med | 0.21 | 4.3 | 0.01 | Jul 17, 2017 | In Moodle 3.3, the course overview block reveals activities in hidden courses. | ||
| CVE-2016-3733 | Med | 0.21 | 4.3 | 0.01 | Apr 20, 2017 | The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. | ||
| CVE-2016-2159 | Med | 0.21 | 4.3 | 0.01 | May 22, 2016 | The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for… | ||
| CVE-2016-2158 | Med | 0.21 | 4.3 | 0.02 | May 22, 2016 | lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by… | ||
| CVE-2016-2156 | Med | 0.21 | 4.3 | 0.02 | May 22, 2016 | calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive… | ||
| CVE-2016-2155 | Med | 0.21 | 4.3 | 0.02 | May 22, 2016 | The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging… | ||
| CVE-2016-2154 | Med | 0.21 | 4.3 | 0.02 | May 22, 2016 | admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a… |
- risk 0.28cvss 4.3epss 0.01
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
- risk 0.28cvss 4.3epss 0.01
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.
- risk 0.28cvss 4.3epss 0.01
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
- risk 0.28cvss 5.3epss 0.01
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
- risk 0.28cvss 5.4epss 0.01
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
- risk 0.28cvss 5.4epss 0.01
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
- risk 0.28cvss 5.3epss 0.02
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
- risk 0.28cvss 5.4epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering…
- risk 0.28cvss 4.3epss 0.01
The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."
- risk 0.28cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.
- risk 0.28cvss 5.4epss 0.01
The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.
- risk 0.28cvss 4.3epss 0.01
mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group…
- risk 0.21cvss 4.3epss 0.01
In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.
- risk 0.21cvss 4.3epss 0.01
In Moodle 3.3, the course overview block reveals activities in hidden courses.
- risk 0.21cvss 4.3epss 0.01
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.
- risk 0.21cvss 4.3epss 0.01
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for…
- risk 0.21cvss 4.3epss 0.02
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by…
- risk 0.21cvss 4.3epss 0.02
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive…
- risk 0.21cvss 4.3epss 0.02
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging…
- risk 0.21cvss 4.3epss 0.02
admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a…
Page 3 of 29