U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:moodle:moodle:2.0.7
There are 193 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-5551

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

Published: November 09, 2023; 3:15:11 PM -0500
V3.1: 3.3 LOW
V2.0:(not available)
CVE-2023-5550

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

Published: November 09, 2023; 3:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-5549

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

Published: November 09, 2023; 3:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-5548

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

Published: November 09, 2023; 3:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-5545

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Published: November 09, 2023; 3:15:09 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-5540

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

Published: November 09, 2023; 3:15:09 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-5539

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

Published: November 09, 2023; 3:15:08 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-35133

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Published: June 22, 2023; 5:15:09 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-35132

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

Published: June 22, 2023; 5:15:09 PM -0400
V3.1: 6.3 MEDIUM
V2.0:(not available)
CVE-2021-36403

In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

Published: March 06, 2023; 6:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-36402

In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

Published: March 06, 2023; 6:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-36401

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

Published: March 06, 2023; 5:15:09 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2021-36400

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

Published: March 06, 2023; 5:15:09 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-36397

In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

Published: March 06, 2023; 5:15:09 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-36396

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

Published: March 06, 2023; 4:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2021-36395

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

Published: March 06, 2023; 4:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2021-36394

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

Published: March 06, 2023; 4:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2021-36393

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

Published: March 06, 2023; 4:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2021-36392

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

Published: March 06, 2023; 4:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-45152

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

Published: November 25, 2022; 2:15:12 PM -0500
V3.1: 9.1 CRITICAL
V2.0:(not available)