Vendor
Moodle
Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Moodle is used for blended learning, distance education, flipped classroom and other online learning projects in schools, universities, workplaces and other sectors.
Founded 2002
Products
1
CVEs
356
Across products
6,891
Status
Private
Products
1- 6,891 CVEs
Recent CVEs
356| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-2641 | Cri | 0.67 | 9.8 | 0.02 | Mar 26, 2017 | In Moodle 2.x and 3.x, SQL injection can occur via user preferences. | |
| CVE-2016-9187 | Hig | 0.57 | 8.8 | 0.02 | Nov 4, 2016 | Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | |
| CVE-2016-9186 | Hig | 0.57 | 8.8 | 0.02 | Nov 4, 2016 | Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | |
| CVE-2016-2157 | Hig | 0.50 | 8.8 | 0.00 | May 22, 2016 | Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins. | |
| CVE-2015-5338 | Hig | 0.50 | 8.8 | 0.00 | Feb 22, 2016 | Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php. | |
| CVE-2015-5332 | Med | 0.44 | 6.8 | 0.01 | Feb 22, 2016 | Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature. | |
| CVE-2017-2642 | Med | 0.42 | 6.5 | 0.00 | Jul 17, 2017 | Moodle 3.x has user fullname disclosure on the user preferences page. | |
| CVE-2015-5267 | Hig | 0.42 | 7.5 | 0.00 | Feb 22, 2016 | lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |
| CVE-2017-7489 | Med | 0.41 | 6.3 | 0.00 | May 15, 2017 | In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. | |
| CVE-2015-3272 | Hig | 0.41 | 7.4 | 0.00 | Feb 22, 2016 | Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. | |
| CVE-2022-50943 | Med | 0.40 | 6.1 | 0.00 | May 10, 2026 | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | |
| CVE-2017-2645 | Med | 0.40 | 6.1 | 0.00 | Mar 26, 2017 | In Moodle 3.x, XSS can occur via attachments to evidence of prior learning. | |
| CVE-2017-2578 | Med | 0.40 | 6.1 | 0.00 | Jan 20, 2017 | In Moodle 3.x, there is XSS in the assignment submission page. | |
| CVE-2016-9188 | Med | 0.40 | 6.1 | 0.00 | Nov 4, 2016 | Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters. | |
| CVE-2016-0725 | Med | 0.40 | 6.1 | 0.01 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string. | |
| CVE-2015-5266 | Med | 0.37 | 6.8 | 0.00 | Feb 22, 2016 | The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script. | |
| CVE-2017-7532 | Med | 0.35 | 6.5 | 0.00 | Jul 17, 2017 | In Moodle 3.x, course creators are able to change system default settings for courses. | |
| CVE-2017-7298 | Med | 0.35 | 5.4 | 0.00 | Mar 29, 2017 | In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. | |
| CVE-2017-2643 | Med | 0.35 | 5.3 | 0.01 | Mar 26, 2017 | In Moodle 3.2.x, global search displays user names for unauthenticated users. | |
| CVE-2017-7490 | Med | 0.34 | 5.3 | 0.00 | May 15, 2017 | In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. |