Vendor CVEs
Moodle
All CVEs
570 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-43430 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. External API access to Quiz can override contained insufficient access control. | |||
| CVE-2024-43429 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information. | |||
| CVE-2024-43427 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party. | |||
| CVE-2024-43440 | 0.00 | — | 0.01 | Nov 7, 2024 | A flaw was found in moodle. A local file may include risks when restoring block backups. | |||
| CVE-2024-43438 | 0.00 | — | 0.01 | Nov 7, 2024 | A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report. | |||
| CVE-2024-43436 | 0.00 | — | 0.01 | Nov 7, 2024 | A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators. | |||
| CVE-2024-43434 | 0.00 | — | 0.01 | Nov 7, 2024 | The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability. | |||
| CVE-2024-43431 | 0.00 | — | 0.00 | Nov 7, 2024 | A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access. | |||
| CVE-2024-43428 | 0.00 | — | 0.00 | Nov 7, 2024 | To address a cache poisoning risk in Moodle, additional validation for local storage was required. | |||
| CVE-2024-43426 | 0.00 | — | 0.01 | Nov 7, 2024 | A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed. | |||
| CVE-2024-34312 | 0.00 | — | 0.01 | Jun 24, 2024 | Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js. | |||
| CVE-2024-37674 | 0.00 | — | 0.01 | Jun 20, 2024 | Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity. | |||
| CVE-2024-38277 | 0.00 | — | 0.00 | Jun 18, 2024 | A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. | |||
| CVE-2024-38276 | 0.00 | — | 0.00 | Jun 18, 2024 | Incorrect CSRF token checks resulted in multiple CSRF risks. | |||
| CVE-2024-38275 | 0.00 | — | 0.00 | Jun 18, 2024 | The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. | |||
| CVE-2024-38274 | 0.00 | — | 0.00 | Jun 18, 2024 | Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. | |||
| CVE-2024-38273 | 0.00 | — | 0.00 | Jun 18, 2024 | Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. | |||
| CVE-2024-34009 | 0.00 | — | 0.00 | May 31, 2024 | Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. | |||
| CVE-2024-34008 | 0.00 | — | 0.00 | May 31, 2024 | Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. | |||
| CVE-2024-34007 | 0.00 | — | 0.00 | May 31, 2024 | The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF. | |||
| CVE-2024-34006 | 0.00 | — | 0.00 | May 31, 2024 | The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered. | |||
| CVE-2024-34005 | 0.00 | — | 0.00 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | |||
| CVE-2024-34004 | 0.00 | — | 0.00 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | |||
| CVE-2024-34003 | 0.00 | — | 0.00 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | |||
| CVE-2024-34002 | 0.00 | — | 0.00 | May 31, 2024 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include. | |||
| CVE-2024-34001 | 0.00 | — | 0.00 | May 31, 2024 | Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk. | |||
| CVE-2024-34000 | 0.00 | — | 0.00 | May 31, 2024 | ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2024-33999 | 0.00 | — | 0.01 | May 31, 2024 | The referrer URL used by MFA required additional sanitizing, rather than being used directly. | |||
| CVE-2024-33998 | 0.00 | — | 0.00 | May 31, 2024 | Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features. | |||
| CVE-2024-33997 | 0.00 | — | 0.00 | May 31, 2024 | Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation. | |||
| CVE-2024-33996 | 0.00 | — | 0.00 | May 31, 2024 | Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to. | |||
| CVE-2024-28593 | 0.00 | — | 0.01 | Mar 22, 2024 | The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do… | |||
| CVE-2024-29374 | 0.00 | — | 0.01 | Mar 21, 2024 | A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter. | |||
| CVE-2024-25983 | 0.00 | — | 0.01 | Feb 19, 2024 | Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page). | |||
| CVE-2024-25982 | 0.00 | — | 0.01 | Feb 19, 2024 | The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. | |||
| CVE-2024-25981 | 0.00 | — | 0.01 | Feb 19, 2024 | Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers. | |||
| CVE-2024-25980 | 0.00 | — | 0.01 | Feb 19, 2024 | Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers. | |||
| CVE-2024-25979 | 0.00 | — | 0.01 | Feb 19, 2024 | The URL parameters accepted by forum search were not limited to the allowed parameters. | |||
| CVE-2024-25978 | 0.00 | — | 0.01 | Feb 19, 2024 | Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality. | |||
| CVE-2023-5543 | 0.00 | — | 0.00 | Nov 9, 2023 | When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. | |||
| CVE-2023-5551 | 0.00 | — | 0.00 | Nov 9, 2023 | Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. | |||
| CVE-2023-5550 | 0.00 | — | 0.01 | Nov 9, 2023 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. | |||
| CVE-2023-5549 | 0.00 | — | 0.01 | Nov 9, 2023 | Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. | |||
| CVE-2023-5548 | 0.00 | — | 0.00 | Nov 9, 2023 | Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||
| CVE-2023-5547 | 0.00 | — | 0.01 | Nov 9, 2023 | The course upload preview contained an XSS risk for users uploading unsafe data. | |||
| CVE-2023-5546 | 0.00 | — | 0.01 | Nov 9, 2023 | ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2023-5545 | 0.00 | — | 0.01 | Nov 9, 2023 | H5P metadata automatically populated the author with the user's username, which could be sensitive information. | |||
| CVE-2023-5544 | 0.00 | — | 0.01 | Nov 9, 2023 | Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | |||
| CVE-2023-5542 | 0.00 | — | 0.00 | Nov 9, 2023 | Students in "Only see own membership" groups could see other students in the group, which should be hidden. | |||
| CVE-2023-5541 | 0.00 | — | 0.01 | Nov 9, 2023 | The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. |
- CVE-2024-43430Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
- CVE-2024-43429Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
- CVE-2024-43427Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
- CVE-2024-43440Nov 7, 2024risk 0.00cvss —epss 0.01
A flaw was found in moodle. A local file may include risks when restoring block backups.
- CVE-2024-43438Nov 7, 2024risk 0.00cvss —epss 0.01
A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.
- CVE-2024-43436Nov 7, 2024risk 0.00cvss —epss 0.01
A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.
- CVE-2024-43434Nov 7, 2024risk 0.00cvss —epss 0.01
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
- CVE-2024-43431Nov 7, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
- CVE-2024-43428Nov 7, 2024risk 0.00cvss —epss 0.00
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
- CVE-2024-43426Nov 7, 2024risk 0.00cvss —epss 0.01
A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.
- CVE-2024-34312Jun 24, 2024risk 0.00cvss —epss 0.01
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
- CVE-2024-37674Jun 20, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
- CVE-2024-38277Jun 18, 2024risk 0.00cvss —epss 0.00
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
- CVE-2024-38276Jun 18, 2024risk 0.00cvss —epss 0.00
Incorrect CSRF token checks resulted in multiple CSRF risks.
- CVE-2024-38275Jun 18, 2024risk 0.00cvss —epss 0.00
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
- CVE-2024-38274Jun 18, 2024risk 0.00cvss —epss 0.00
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
- CVE-2024-38273Jun 18, 2024risk 0.00cvss —epss 0.00
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
- CVE-2024-34009May 31, 2024risk 0.00cvss —epss 0.00
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.
- CVE-2024-34008May 31, 2024risk 0.00cvss —epss 0.00
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
- CVE-2024-34007May 31, 2024risk 0.00cvss —epss 0.00
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.
- CVE-2024-34006May 31, 2024risk 0.00cvss —epss 0.00
The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.
- CVE-2024-34005May 31, 2024risk 0.00cvss —epss 0.00
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34004May 31, 2024risk 0.00cvss —epss 0.00
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34003May 31, 2024risk 0.00cvss —epss 0.00
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34002May 31, 2024risk 0.00cvss —epss 0.00
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
- CVE-2024-34001May 31, 2024risk 0.00cvss —epss 0.00
Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.
- CVE-2024-34000May 31, 2024risk 0.00cvss —epss 0.00
ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.
- CVE-2024-33999May 31, 2024risk 0.00cvss —epss 0.01
The referrer URL used by MFA required additional sanitizing, rather than being used directly.
- CVE-2024-33998May 31, 2024risk 0.00cvss —epss 0.00
Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.
- CVE-2024-33997May 31, 2024risk 0.00cvss —epss 0.00
Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation.
- CVE-2024-33996May 31, 2024risk 0.00cvss —epss 0.00
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
- CVE-2024-28593Mar 22, 2024risk 0.00cvss —epss 0.01
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do…
- CVE-2024-29374Mar 21, 2024risk 0.00cvss —epss 0.01
A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.
- CVE-2024-25983Feb 19, 2024risk 0.00cvss —epss 0.01
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).
- CVE-2024-25982Feb 19, 2024risk 0.00cvss —epss 0.01
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.
- CVE-2024-25981Feb 19, 2024risk 0.00cvss —epss 0.01
Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.
- CVE-2024-25980Feb 19, 2024risk 0.00cvss —epss 0.01
Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.
- CVE-2024-25979Feb 19, 2024risk 0.00cvss —epss 0.01
The URL parameters accepted by forum search were not limited to the allowed parameters.
- CVE-2024-25978Feb 19, 2024risk 0.00cvss —epss 0.01
Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.
- CVE-2023-5543Nov 9, 2023risk 0.00cvss —epss 0.00
When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.
- CVE-2023-5551Nov 9, 2023risk 0.00cvss —epss 0.00
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.
- CVE-2023-5550Nov 9, 2023risk 0.00cvss —epss 0.01
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
- CVE-2023-5549Nov 9, 2023risk 0.00cvss —epss 0.01
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.
- CVE-2023-5548Nov 9, 2023risk 0.00cvss —epss 0.00
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
- CVE-2023-5547Nov 9, 2023risk 0.00cvss —epss 0.01
The course upload preview contained an XSS risk for users uploading unsafe data.
- CVE-2023-5546Nov 9, 2023risk 0.00cvss —epss 0.01
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
- CVE-2023-5545Nov 9, 2023risk 0.00cvss —epss 0.01
H5P metadata automatically populated the author with the user's username, which could be sensitive information.
- CVE-2023-5544Nov 9, 2023risk 0.00cvss —epss 0.01
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.
- CVE-2023-5542Nov 9, 2023risk 0.00cvss —epss 0.00
Students in "Only see own membership" groups could see other students in the group, which should be hidden.
- CVE-2023-5541Nov 9, 2023risk 0.00cvss —epss 0.01
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.
Page 4 of 12