Search Results (Refine Search)
- CPE Product Version: cpe:/a:moodle:moodle:2.1.6
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-2245 |
rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. Published: July 29, 2013; 9:59:20 AM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-2243 |
mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. Published: July 29, 2013; 9:59:20 AM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-2242 |
mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server. Published: July 29, 2013; 9:59:20 AM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-2083 |
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. Published: May 24, 2013; 11:18:15 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-2082 |
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. Published: May 24, 2013; 11:18:15 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-2081 |
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. Published: May 24, 2013; 11:18:15 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-1836 |
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2013-1835 |
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-1834 |
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-1833 |
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-1832 |
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-1831 |
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1830 |
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6112 |
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. Published: January 27, 2013; 5:55:04 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6105 |
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. Published: January 27, 2013; 5:55:04 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6099 |
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-6098 |
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-5480 |
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2012-5479 |
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-5473 |
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |