VYPR

Moodle

by Moodle

Source repositories

CVEs (570)

  • CVE-2017-7491MedMay 15, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

  • CVE-2016-3732MedApr 20, 2017
    risk 0.28cvss 4.3epss 0.01

    The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.

  • CVE-2016-8643MedJan 20, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

  • CVE-2016-8642MedJan 20, 2017
    risk 0.28cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

  • CVE-2016-5014MedJan 20, 2017
    risk 0.28cvss 5.4epss 0.01

    In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

  • CVE-2016-5013MedJan 20, 2017
    risk 0.28cvss 5.4epss 0.01

    In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

  • CVE-2016-2190MedMay 22, 2016
    risk 0.28cvss 5.3epss 0.02

    Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

  • CVE-2015-5336MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering…

  • CVE-2015-5272MedFeb 22, 2016
    risk 0.28cvss 4.3epss 0.01

    The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."

  • CVE-2015-5269MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.

  • CVE-2015-5264MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.

  • CVE-2015-3273MedFeb 22, 2016
    risk 0.28cvss 4.3epss 0.01

    mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group…

  • CVE-2017-12157MedSep 18, 2017
    risk 0.21cvss 4.3epss 0.01

    In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

  • CVE-2017-7531MedJul 17, 2017
    risk 0.21cvss 4.3epss 0.01

    In Moodle 3.3, the course overview block reveals activities in hidden courses.

  • CVE-2016-3733MedApr 20, 2017
    risk 0.21cvss 4.3epss 0.01

    The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.

  • CVE-2016-2159MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.01

    The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for…

  • CVE-2016-2158MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by…

  • CVE-2016-2156MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive…

  • CVE-2016-2155MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging…

  • CVE-2016-2154MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a…

Page 3 of 29