Vendor CVEs
Moodle
All CVEs
570 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-2641 | Cri | 0.68 | 9.8 | 0.15 | Mar 26, 2017 | In Moodle 2.x and 3.x, SQL injection can occur via user preferences. | ||
| CVE-2025-60507 | Hig | 0.58 | 8.9 | 0.00 | Oct 21, 2025 | Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users… | ||
| CVE-2016-9187 | Hig | 0.58 | 8.8 | 0.04 | Nov 4, 2016 | Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | ||
| CVE-2016-9186 | Hig | 0.58 | 8.8 | 0.04 | Nov 4, 2016 | Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. | ||
| CVE-2016-3734 | Hig | 0.50 | 8.8 | 0.01 | Apr 20, 2017 | Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | ||
| CVE-2016-2157 | Hig | 0.50 | 8.8 | 0.01 | May 22, 2016 | Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests… | ||
| CVE-2015-5338 | Hig | 0.50 | 8.8 | 0.01 | Feb 22, 2016 | Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)… | ||
| CVE-2016-7919 | Hig | 0.49 | 7.5 | 0.02 | Oct 28, 2016 | Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting… | ||
| CVE-2016-7038 | Hig | 0.48 | 7.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | ||
| CVE-2015-5332 | Med | 0.44 | 6.8 | 0.02 | Feb 22, 2016 | Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature. | ||
| CVE-2017-2642 | Med | 0.42 | 6.5 | 0.01 | Jul 17, 2017 | Moodle 3.x has user fullname disclosure on the user preferences page. | ||
| CVE-2016-3729 | Med | 0.42 | 6.5 | 0.01 | Apr 20, 2017 | The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator. | ||
| CVE-2015-5267 | Hig | 0.42 | 7.5 | 0.02 | Feb 22, 2016 | lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict… | ||
| CVE-2017-7489 | Med | 0.41 | 6.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. | ||
| CVE-2015-3272 | Hig | 0.41 | 7.4 | 0.02 | Feb 22, 2016 | Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors… | ||
| CVE-2022-50943 | Med | 0.40 | 6.1 | 0.00 | May 10, 2026 | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary… | ||
| CVE-2017-2645 | Med | 0.40 | 6.1 | 0.01 | Mar 26, 2017 | In Moodle 3.x, XSS can occur via attachments to evidence of prior learning. | ||
| CVE-2017-5945 | Med | 0.40 | 6.1 | 0.01 | Feb 10, 2017 | An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazi… | ||
| CVE-2017-2578 | Med | 0.40 | 6.1 | 0.01 | Jan 20, 2017 | In Moodle 3.x, there is XSS in the assignment submission page. | ||
| CVE-2016-9188 | Med | 0.40 | 6.1 | 0.02 | Nov 4, 2016 | Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters. | ||
| CVE-2016-0725 | Med | 0.40 | 6.1 | 0.02 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search… | ||
| CVE-2015-5266 | Med | 0.37 | 6.8 | 0.02 | Feb 22, 2016 | The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing… | ||
| CVE-2025-60506 | Med | 0.35 | 5.4 | 0.00 | Oct 21, 2025 | Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or… | ||
| CVE-2017-7532 | Med | 0.35 | 6.5 | 0.01 | Jul 17, 2017 | In Moodle 3.x, course creators are able to change system default settings for courses. | ||
| CVE-2017-7490 | Med | 0.35 | 5.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. | ||
| CVE-2016-3731 | Med | 0.35 | 5.3 | 0.02 | Apr 20, 2017 | Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. | ||
| CVE-2017-7298 | Med | 0.35 | 5.4 | 0.01 | Mar 29, 2017 | In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. | ||
| CVE-2017-2643 | Med | 0.35 | 5.3 | 0.02 | Mar 26, 2017 | In Moodle 3.2.x, global search displays user names for unauthenticated users. | ||
| CVE-2017-2576 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. | ||
| CVE-2016-8644 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. | ||
| CVE-2016-5012 | Med | 0.35 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 3.x, glossary search displays entries without checking user permissions to view them. | ||
| CVE-2017-12156 | Med | 0.33 | 6.1 | 0.01 | Sep 18, 2017 | Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback. | ||
| CVE-2017-2644 | Med | 0.33 | 6.1 | 0.01 | Mar 26, 2017 | In Moodle 3.x, XSS can occur via evidence of prior learning. | ||
| CVE-2016-2153 | Med | 0.33 | 6.1 | 0.01 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field… | ||
| CVE-2016-2152 | Med | 0.33 | 6.1 | 0.01 | May 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. | ||
| CVE-2015-5337 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. | ||
| CVE-2015-3275 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)… | ||
| CVE-2015-3274 | Med | 0.33 | 6.1 | 0.01 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an… | ||
| CVE-2025-60511 | Med | 0.28 | 4.3 | 0.00 | Oct 21, 2025 | Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's… | ||
| CVE-2017-15110 | Med | 0.28 | 4.3 | 0.01 | Nov 20, 2017 | In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other… | ||
| CVE-2017-7491 | Med | 0.28 | 4.3 | 0.01 | May 15, 2017 | In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. | ||
| CVE-2016-3732 | Med | 0.28 | 4.3 | 0.01 | Apr 20, 2017 | The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | ||
| CVE-2016-8643 | Med | 0.28 | 4.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services. | ||
| CVE-2016-8642 | Med | 0.28 | 5.3 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. | ||
| CVE-2016-5014 | Med | 0.28 | 5.4 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. | ||
| CVE-2016-5013 | Med | 0.28 | 5.4 | 0.01 | Jan 20, 2017 | In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | ||
| CVE-2016-2190 | Med | 0.28 | 5.3 | 0.02 | May 22, 2016 | Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. | ||
| CVE-2015-5336 | Med | 0.28 | 5.4 | 0.01 | Feb 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering… | ||
| CVE-2015-5272 | Med | 0.28 | 4.3 | 0.01 | Feb 22, 2016 | The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants." | ||
| CVE-2015-5269 | Med | 0.28 | 5.4 | 0.01 | Feb 22, 2016 | Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description. |
- risk 0.68cvss 9.8epss 0.15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
- risk 0.58cvss 8.9epss 0.00
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users…
- risk 0.58cvss 8.8epss 0.04
Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
- risk 0.58cvss 8.8epss 0.04
Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.
- risk 0.50cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests…
- risk 0.50cvss 8.8epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)…
- risk 0.49cvss 7.5epss 0.02
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting…
- risk 0.48cvss 7.3epss 0.01
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
- risk 0.44cvss 6.8epss 0.02
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
- risk 0.42cvss 6.5epss 0.01
Moodle 3.x has user fullname disclosure on the user preferences page.
- risk 0.42cvss 6.5epss 0.01
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
- risk 0.42cvss 7.5epss 0.02
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict…
- risk 0.41cvss 6.3epss 0.01
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
- risk 0.41cvss 7.4epss 0.02
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors…
- risk 0.40cvss 6.1epss 0.00
Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary…
- risk 0.40cvss 6.1epss 0.01
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazi…
- risk 0.40cvss 6.1epss 0.01
In Moodle 3.x, there is XSS in the assignment submission page.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search…
- risk 0.37cvss 6.8epss 0.02
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing…
- risk 0.35cvss 5.4epss 0.00
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or…
- risk 0.35cvss 6.5epss 0.01
In Moodle 3.x, course creators are able to change system default settings for courses.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
- risk 0.35cvss 5.3epss 0.02
Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.
- risk 0.35cvss 5.4epss 0.01
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.
- risk 0.35cvss 5.3epss 0.02
In Moodle 3.2.x, global search displays user names for unauthenticated users.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
- risk 0.35cvss 5.3epss 0.01
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
- risk 0.35cvss 5.3epss 0.01
In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
- risk 0.33cvss 6.1epss 0.01
Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
- risk 0.33cvss 6.1epss 0.01
In Moodle 3.x, XSS can occur via evidence of prior learning.
- risk 0.33cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field…
- risk 0.33cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.
- risk 0.33cvss 6.1epss 0.01
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.
- risk 0.33cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)…
- risk 0.33cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an…
- risk 0.28cvss 4.3epss 0.00
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's…
- risk 0.28cvss 4.3epss 0.01
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other…
- risk 0.28cvss 4.3epss 0.01
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
- risk 0.28cvss 4.3epss 0.01
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.
- risk 0.28cvss 4.3epss 0.01
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
- risk 0.28cvss 5.3epss 0.01
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
- risk 0.28cvss 5.4epss 0.01
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
- risk 0.28cvss 5.4epss 0.01
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
- risk 0.28cvss 5.3epss 0.02
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
- risk 0.28cvss 5.4epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering…
- risk 0.28cvss 4.3epss 0.01
The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."
- risk 0.28cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.
Page 1 of 12