Search Results (Refine Search)
- CPE Product Version: cpe:/a:moodle:moodle:2.2.2
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-1834 |
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-1833 |
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2013-1832 |
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. Published: March 25, 2013; 5:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-1831 |
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1830 |
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. Published: March 25, 2013; 5:55:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6112 |
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. Published: January 27, 2013; 5:55:04 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6105 |
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. Published: January 27, 2013; 5:55:04 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6104 |
blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed. Published: January 27, 2013; 5:55:04 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-6103 |
Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-6101 |
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2012-6100 |
report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/user:viewhiddendetails capability requirement, which allows remote authenticated users to discover a hidden lastaccess value by reading an activity report. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-6099 |
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-6098 |
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. Published: January 27, 2013; 5:55:03 PM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-5480 |
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2012-5479 |
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-5473 |
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. Published: November 21, 2012; 7:55:03 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-5472 |
lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field. Published: November 21, 2012; 7:55:02 AM -0500 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2012-5471 |
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout. Published: November 21, 2012; 7:55:02 AM -0500 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2012-4408 |
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation. Published: September 19, 2012; 6:57:07 AM -0400 |
V3.x:(not available) V2.0: 5.5 MEDIUM |
CVE-2012-4407 |
lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. Published: September 19, 2012; 6:57:07 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |