VYPR

Vendor CVEs

Moodle

All CVEs

570 total · sorted by risk
  • CVE-2017-2641CriMar 26, 2017
    risk 0.68cvss 9.8epss 0.15

    In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

  • CVE-2025-60507HigOct 21, 2025
    risk 0.58cvss 8.9epss 0.00

    Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users…

  • CVE-2016-9187HigNov 4, 2016
    risk 0.58cvss 8.8epss 0.04

    Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

  • CVE-2016-9186HigNov 4, 2016
    risk 0.58cvss 8.8epss 0.04

    Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

  • CVE-2016-3734HigApr 20, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.

  • CVE-2016-2157HigMay 22, 2016
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests…

  • CVE-2015-5338HigFeb 22, 2016
    risk 0.50cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1)…

  • CVE-2016-7919HigOct 28, 2016
    risk 0.49cvss 7.5epss 0.02

    Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting…

  • CVE-2016-7038HigJan 20, 2017
    risk 0.48cvss 7.3epss 0.01

    In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

  • CVE-2015-5332MedFeb 22, 2016
    risk 0.44cvss 6.8epss 0.02

    Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.

  • CVE-2017-2642MedJul 17, 2017
    risk 0.42cvss 6.5epss 0.01

    Moodle 3.x has user fullname disclosure on the user preferences page.

  • CVE-2016-3729MedApr 20, 2017
    risk 0.42cvss 6.5epss 0.01

    The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.

  • CVE-2015-5267HigFeb 22, 2016
    risk 0.42cvss 7.5epss 0.02

    lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict…

  • CVE-2017-7489MedMay 15, 2017
    risk 0.41cvss 6.3epss 0.01

    In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

  • CVE-2015-3272HigFeb 22, 2016
    risk 0.41cvss 7.4epss 0.02

    Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors…

  • CVE-2022-50943MedMay 10, 2026
    risk 0.40cvss 6.1epss 0.00

    Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary…

  • CVE-2017-2645MedMar 26, 2017
    risk 0.40cvss 6.1epss 0.01

    In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.

  • CVE-2017-5945MedFeb 10, 2017
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazi…

  • CVE-2017-2578MedJan 20, 2017
    risk 0.40cvss 6.1epss 0.01

    In Moodle 3.x, there is XSS in the assignment submission page.

  • CVE-2016-9188MedNov 4, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.

  • CVE-2016-0725MedFeb 22, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search…

  • CVE-2015-5266MedFeb 22, 2016
    risk 0.37cvss 6.8epss 0.02

    The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing…

  • CVE-2025-60506MedOct 21, 2025
    risk 0.35cvss 5.4epss 0.00

    Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or…

  • CVE-2017-7532MedJul 17, 2017
    risk 0.35cvss 6.5epss 0.01

    In Moodle 3.x, course creators are able to change system default settings for courses.

  • CVE-2017-7490MedMay 15, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.

  • CVE-2016-3731MedApr 20, 2017
    risk 0.35cvss 5.3epss 0.02

    Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.

  • CVE-2017-7298MedMar 29, 2017
    risk 0.35cvss 5.4epss 0.01

    In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.

  • CVE-2017-2643MedMar 26, 2017
    risk 0.35cvss 5.3epss 0.02

    In Moodle 3.2.x, global search displays user names for unauthenticated users.

  • CVE-2017-2576MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

  • CVE-2016-8644MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

  • CVE-2016-5012MedJan 20, 2017
    risk 0.35cvss 5.3epss 0.01

    In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

  • CVE-2017-12156MedSep 18, 2017
    risk 0.33cvss 6.1epss 0.01

    Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

  • CVE-2017-2644MedMar 26, 2017
    risk 0.33cvss 6.1epss 0.01

    In Moodle 3.x, XSS can occur via evidence of prior learning.

  • CVE-2016-2153MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field…

  • CVE-2016-2152MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.

  • CVE-2015-5337MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

  • CVE-2015-3275MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1)…

  • CVE-2015-3274MedFeb 22, 2016
    risk 0.33cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an…

  • CVE-2025-60511MedOct 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's…

  • CVE-2017-15110MedNov 20, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other…

  • CVE-2017-7491MedMay 15, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

  • CVE-2016-3732MedApr 20, 2017
    risk 0.28cvss 4.3epss 0.01

    The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.

  • CVE-2016-8643MedJan 20, 2017
    risk 0.28cvss 4.3epss 0.01

    In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

  • CVE-2016-8642MedJan 20, 2017
    risk 0.28cvss 5.3epss 0.01

    In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

  • CVE-2016-5014MedJan 20, 2017
    risk 0.28cvss 5.4epss 0.01

    In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

  • CVE-2016-5013MedJan 20, 2017
    risk 0.28cvss 5.4epss 0.01

    In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

  • CVE-2016-2190MedMay 22, 2016
    risk 0.28cvss 5.3epss 0.02

    Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

  • CVE-2015-5336MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering…

  • CVE-2015-5272MedFeb 22, 2016
    risk 0.28cvss 4.3epss 0.01

    The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."

  • CVE-2015-5269MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.

Page 1 of 12