Vendor CVEs
Moodle
All CVEs
570 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-30598 | 0.00 | — | 0.01 | May 18, 2022 | A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it. | |||
| CVE-2022-30597 | 0.00 | — | 0.01 | May 18, 2022 | A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. | |||
| CVE-2022-30596 | 0.00 | — | 0.01 | May 18, 2022 | A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. | |||
| CVE-2022-28601 | 0.00 | — | 0.02 | May 10, 2022 | A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism. | |||
| CVE-2022-0985 | 0.00 | — | 0.01 | Apr 29, 2022 | Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | |||
| CVE-2021-32474 | 0.00 | — | 0.01 | Mar 11, 2022 | An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier… | |||
| CVE-2021-32473 | 0.00 | — | 0.01 | Mar 11, 2022 | It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected | |||
| CVE-2021-32475 | 0.00 | — | 0.01 | Mar 11, 2022 | ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||
| CVE-2021-32477 | 0.00 | — | 0.01 | Mar 11, 2022 | The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. | |||
| CVE-2021-32476 | 0.00 | — | 0.01 | Mar 11, 2022 | A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||
| CVE-2021-32472 | 0.00 | — | 0.01 | Mar 11, 2022 | Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. | |||
| CVE-2021-32478 | 0.00 | — | 0.01 | Mar 11, 2022 | The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. | |||
| CVE-2022-0335 | 0.00 | — | 0.01 | Jan 25, 2022 | A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | |||
| CVE-2022-0334 | 0.00 | — | 0.01 | Jan 25, 2022 | A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view… | |||
| CVE-2022-0333 | 0.00 | — | 0.01 | Jan 25, 2022 | A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events. | |||
| CVE-2022-0332 | 0.00 | — | 0.45 | Jan 25, 2022 | A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data. | |||
| CVE-2019-14827 | 0.00 | — | 0.01 | May 17, 2021 | A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another… | |||
| CVE-2019-14831 | 0.00 | — | 0.01 | Mar 19, 2021 | A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the… | |||
| CVE-2019-14830 | 0.00 | — | 0.03 | Mar 19, 2021 | A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does… | |||
| CVE-2019-14829 | 0.00 | — | 0.01 | Mar 19, 2021 | A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. | |||
| CVE-2019-14828 | 0.00 | — | 0.01 | Mar 19, 2021 | A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be… | |||
| CVE-2020-1692 | 0.00 | — | 0.01 | Feb 17, 2020 | Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. | |||
| CVE-2012-1161 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results | |||
| CVE-2012-1170 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough | |||
| CVE-2012-1169 | 0.00 | — | 0.02 | Nov 14, 2019 | Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs. | |||
| CVE-2012-1160 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php | |||
| CVE-2012-1159 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2: Overview report allows users to see hidden courses | |||
| CVE-2012-1158 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export | |||
| CVE-2012-1157 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default | |||
| CVE-2012-1156 | 0.00 | — | 0.02 | Nov 14, 2019 | Moodle before 2.2.2 has users' private files included in course backups | |||
| CVE-2012-1168 | 0.00 | — | 0.02 | Nov 14, 2019 | Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified. | |||
| CVE-2012-1155 | 0.00 | — | 0.02 | Nov 14, 2019 | Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to | |||
| CVE-2019-10186 | 0.00 | — | 0.01 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. | |||
| CVE-2019-10187 | 0.00 | — | 0.01 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. | |||
| CVE-2019-10188 | 0.00 | — | 0.01 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz. | |||
| CVE-2019-10189 | 0.00 | — | 0.01 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment. | |||
| CVE-2019-10154 | 0.00 | — | 0.01 | Jun 26, 2019 | A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations. | |||
| CVE-2019-10134 | 0.00 | — | 0.01 | Jun 26, 2019 | A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded. | |||
| CVE-2019-10133 | 0.00 | — | 0.01 | Jun 26, 2019 | A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs. | |||
| CVE-2019-3847 | 0.00 | — | 0.02 | Mar 27, 2019 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was… | |||
| CVE-2019-3852 | 0.00 | — | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities | |||
| CVE-2019-3851 | 0.00 | — | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page. | |||
| CVE-2019-3850 | 0.00 | — | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header… | |||
| CVE-2019-3849 | 0.00 | — | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. | |||
| CVE-2019-3848 | 0.00 | — | 0.01 | Mar 26, 2019 | A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was… | |||
| CVE-2019-3809 | 0.00 | — | 0.01 | Mar 25, 2019 | A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests… | |||
| CVE-2019-3808 | 0.00 | — | 0.01 | Mar 25, 2019 | A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is… | |||
| CVE-2019-6970 | 0.00 | — | 0.01 | Mar 18, 2019 | Moodle 3.5.x before 3.5.4 allows SSRF. | |||
| CVE-2015-3181 | 0.00 | — | 0.02 | Jun 1, 2015 | files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended… | |||
| CVE-2015-3180 | 0.00 | — | 0.02 | Jun 1, 2015 | lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. |
- CVE-2022-30598May 18, 2022risk 0.00cvss —epss 0.01
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
- CVE-2022-30597May 18, 2022risk 0.00cvss —epss 0.01
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
- CVE-2022-30596May 18, 2022risk 0.00cvss —epss 0.01
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
- CVE-2022-28601May 10, 2022risk 0.00cvss —epss 0.02
A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.
- CVE-2022-0985Apr 29, 2022risk 0.00cvss —epss 0.01
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
- CVE-2021-32474Mar 11, 2022risk 0.00cvss —epss 0.01
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier…
- CVE-2021-32473Mar 11, 2022risk 0.00cvss —epss 0.01
It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected
- CVE-2021-32475Mar 11, 2022risk 0.00cvss —epss 0.01
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
- CVE-2021-32477Mar 11, 2022risk 0.00cvss —epss 0.01
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.
- CVE-2021-32476Mar 11, 2022risk 0.00cvss —epss 0.01
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
- CVE-2021-32472Mar 11, 2022risk 0.00cvss —epss 0.01
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected.
- CVE-2021-32478Mar 11, 2022risk 0.00cvss —epss 0.01
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
- CVE-2022-0335Jan 25, 2022risk 0.00cvss —epss 0.01
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
- CVE-2022-0334Jan 25, 2022risk 0.00cvss —epss 0.01
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view…
- CVE-2022-0333Jan 25, 2022risk 0.00cvss —epss 0.01
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
- CVE-2022-0332Jan 25, 2022risk 0.00cvss —epss 0.45
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
- CVE-2019-14827May 17, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another…
- CVE-2019-14831Mar 19, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the…
- CVE-2019-14830Mar 19, 2021risk 0.00cvss —epss 0.03
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does…
- CVE-2019-14829Mar 19, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
- CVE-2019-14828Mar 19, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be…
- CVE-2020-1692Feb 17, 2020risk 0.00cvss —epss 0.01
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
- CVE-2012-1161Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
- CVE-2012-1170Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
- CVE-2012-1169Nov 14, 2019risk 0.00cvss —epss 0.02
Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.
- CVE-2012-1160Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php
- CVE-2012-1159Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2: Overview report allows users to see hidden courses
- CVE-2012-1158Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
- CVE-2012-1157Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
- CVE-2012-1156Nov 14, 2019risk 0.00cvss —epss 0.02
Moodle before 2.2.2 has users' private files included in course backups
- CVE-2012-1168Nov 14, 2019risk 0.00cvss —epss 0.02
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.
- CVE-2012-1155Nov 14, 2019risk 0.00cvss —epss 0.02
Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to
- CVE-2019-10186Jul 31, 2019risk 0.00cvss —epss 0.01
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
- CVE-2019-10187Jul 31, 2019risk 0.00cvss —epss 0.01
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
- CVE-2019-10188Jul 31, 2019risk 0.00cvss —epss 0.01
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
- CVE-2019-10189Jul 31, 2019risk 0.00cvss —epss 0.01
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
- CVE-2019-10154Jun 26, 2019risk 0.00cvss —epss 0.01
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
- CVE-2019-10134Jun 26, 2019risk 0.00cvss —epss 0.01
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
- CVE-2019-10133Jun 26, 2019risk 0.00cvss —epss 0.01
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
- CVE-2019-3847Mar 27, 2019risk 0.00cvss —epss 0.02
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was…
- CVE-2019-3852Mar 26, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities
- CVE-2019-3851Mar 26, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.
- CVE-2019-3850Mar 26, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header…
- CVE-2019-3849Mar 26, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
- CVE-2019-3848Mar 26, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was…
- CVE-2019-3809Mar 25, 2019risk 0.00cvss —epss 0.01
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests…
- CVE-2019-3808Mar 25, 2019risk 0.00cvss —epss 0.01
A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is…
- CVE-2019-6970Mar 18, 2019risk 0.00cvss —epss 0.01
Moodle 3.5.x before 3.5.4 allows SSRF.
- CVE-2015-3181Jun 1, 2015risk 0.00cvss —epss 0.02
files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended…
- CVE-2015-3180Jun 1, 2015risk 0.00cvss —epss 0.02
lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment.
Page 6 of 12