VYPR

Vendor CVEs

Moodle

All CVEs

570 total · sorted by risk
  • CVE-2015-5264MedFeb 22, 2016
    risk 0.28cvss 5.4epss 0.01

    The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.

  • CVE-2015-3273MedFeb 22, 2016
    risk 0.28cvss 4.3epss 0.01

    mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group…

  • CVE-2017-12157MedSep 18, 2017
    risk 0.21cvss 4.3epss 0.01

    In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

  • CVE-2017-7531MedJul 17, 2017
    risk 0.21cvss 4.3epss 0.01

    In Moodle 3.3, the course overview block reveals activities in hidden courses.

  • CVE-2016-3733MedApr 20, 2017
    risk 0.21cvss 4.3epss 0.01

    The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.

  • CVE-2016-2159MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.01

    The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for…

  • CVE-2016-2158MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by…

  • CVE-2016-2156MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive…

  • CVE-2016-2155MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging…

  • CVE-2016-2154MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a…

  • CVE-2016-2151MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.02

    user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover…

  • CVE-2016-0724MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.02

    The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which…

  • CVE-2015-5342MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.

  • CVE-2015-5341MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.

  • CVE-2015-5340MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2)…

  • CVE-2015-5339MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain…

  • CVE-2015-5335MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics…

  • CVE-2015-5331MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.

  • CVE-2015-5268MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.02

    The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value.

  • CVE-2015-5265MedFeb 22, 2016
    risk 0.21cvss 4.3epss 0.01

    The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a…

  • CVE-2024-43425Nov 7, 2024
    risk 0.10cvss epss 0.83

    A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

  • CVE-2013-3630Nov 1, 2013
    risk 0.06cvss epss 0.43

    Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.

  • CVE-2022-35650Jul 25, 2022
    risk 0.04cvss epss 0.49

    The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to…

  • CVE-2019-3810Mar 25, 2019
    risk 0.04cvss epss 0.14

    A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by…

  • CVE-2006-0147Jan 9, 2006
    risk 0.04cvss epss 0.13

    Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote…

  • CVE-2006-0146Jan 9, 2006
    risk 0.04cvss epss 0.13

    The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to…

  • CVE-2009-1171Mar 30, 2009
    risk 0.03cvss epss 0.06

    The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file.

  • CVE-2007-6538Dec 27, 2007
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2007-1647Mar 24, 2007
    risk 0.03cvss epss 0.03

    Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session…

  • CVE-2006-5219Oct 10, 2006
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter.

  • CVE-2006-3951Aug 1, 2006
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in moodle.php in Mam-moodle alpha component (com_moodle) for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.

  • CVE-2004-1978Apr 30, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in help.php in Moodle before 1.3 allows remote attackers to inject arbitrary HTML and web script via the text parameter.

  • CVE-2021-36393Mar 6, 2023
    risk 0.02cvss epss 0.52

    In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

  • CVE-2025-34031Jun 24, 2025
    risk 0.01cvss epss 0.03

    A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from…

  • CVE-2021-36394Mar 6, 2023
    risk 0.01cvss epss 0.07

    In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

  • CVE-2022-35649Jul 25, 2022
    risk 0.01cvss epss 0.06

    The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this…

  • CVE-2008-1502Mar 25, 2008
    risk 0.01cvss epss 0.10

    The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing…

  • CVE-2026-26046Feb 21, 2026
    risk 0.00cvss epss 0.02

    A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an…

  • CVE-2025-67857Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information…

  • CVE-2025-67856Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to,…

  • CVE-2025-67855Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through…

  • CVE-2025-67853Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.

  • CVE-2025-67852Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could…

  • CVE-2025-67851Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute.…

  • CVE-2025-67850Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users…

  • CVE-2025-67849Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen,…

  • CVE-2025-67848Feb 3, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling…

  • CVE-2025-67847Jan 23, 2026
    risk 0.00cvss epss 0.01

    A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation…

  • CVE-2021-47857Jan 21, 2026
    risk 0.00cvss epss 0.00

    Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code…

  • CVE-2025-62401Oct 23, 2025
    risk 0.00cvss epss 0.00

    An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

Page 2 of 12