Search Results (Refine Search)
- CPE Product Version: cpe:/a:moodle:moodle:2.0.6
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-1831 |
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1830 |
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-3398 |
Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to cause a denial of service (CPU consumption) by using the advanced-search feature on a database activity that has many records. Published: July 23, 2012; 5:55:05 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-3397 |
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. Published: July 23, 2012; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-3396 |
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. Published: July 23, 2012; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-3395 |
SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. Published: July 23, 2012; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-2367 |
Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/calendar:manageownentries capability requirement and add a calendar entry via a New Entry action. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-2365 |
Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the idnumber field to cohort/edit.php. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-2364 |
Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-2361 |
Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php in the web services implementation in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the name field (aka the service name) to admin/webservice/service.php. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-2360 |
Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted string that is inserted into a page title. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2012-2359 |
admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to gain privileges by leveraging the teacher role and modifying their own capabilities, as demonstrated by obtaining the backup:userinfo capability. Published: July 20, 2012; 11:38:56 PM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-2358 |
Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist. Published: July 20, 2012; 11:38:55 PM -0400 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2012-0800 |
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device. Published: July 17, 2012; 6:20:53 AM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2012-0799 |
Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page. Published: July 17, 2012; 6:20:53 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-0797 |
The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token. Published: July 17, 2012; 6:20:53 AM -0400 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2012-0796 |
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header. Published: July 17, 2012; 6:20:53 AM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-0795 |
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 does not validate e-mail address settings, which allows remote authenticated users to have an unspecified impact via a crafted address. Published: July 17, 2012; 6:20:53 AM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-0794 |
The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution. Published: July 17, 2012; 6:20:52 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-0793 |
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote attackers to view the profile images of arbitrary user accounts via unspecified vectors. Published: July 17, 2012; 6:20:52 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |