VYPR

Moodle

by Moodle

Source repositories

CVEs (570)

  • CVE-2025-62395Oct 23, 2025
    risk 0.00cvss epss 0.00

    A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.

  • CVE-2025-62400Oct 23, 2025
    risk 0.00cvss epss 0.00

    Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

  • CVE-2025-62399Oct 23, 2025
    risk 0.00cvss epss 0.00

    Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

  • CVE-2025-62398Oct 23, 2025
    risk 0.00cvss epss 0.00

    A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.

  • CVE-2025-62397Oct 23, 2025
    risk 0.00cvss epss 0.00

    The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.

  • CVE-2025-62396Oct 23, 2025
    risk 0.00cvss epss 0.00

    An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

  • CVE-2025-62394Oct 23, 2025
    risk 0.00cvss epss 0.00

    Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

  • CVE-2025-62393Oct 23, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.

  • CVE-2025-34032Jun 24, 2025
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute…

  • CVE-2025-53021Jun 24, 2025
    risk 0.00cvss epss 0.00

    A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being…

  • CVE-2025-32045Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

  • CVE-2025-32044Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with…

  • CVE-2025-3647Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

  • CVE-2025-3645Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

  • CVE-2025-3644Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

  • CVE-2025-3643Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

  • CVE-2025-3642Apr 25, 2025
    risk 0.00cvss epss 0.01

    A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

  • CVE-2025-3641Apr 25, 2025
    risk 0.00cvss epss 0.01

    A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

  • CVE-2025-3640Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

  • CVE-2025-3638Apr 25, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

Page 6 of 29