Search Results (Refine Search)
- CPE Product Version: cpe:/a:moodle:moodle:2.5
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-2271 |
tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature. Published: June 01, 2015; 3:59:14 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2015-2270 |
lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. Published: June 01, 2015; 3:59:13 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-2269 |
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. Published: June 01, 2015; 3:59:12 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2015-2268 |
filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. Published: June 01, 2015; 3:59:11 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-2267 |
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. Published: June 01, 2015; 3:59:10 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2015-2266 |
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. Published: June 01, 2015; 3:59:09 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2015-1493 |
Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts. Published: June 01, 2015; 3:59:08 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-0218 |
Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout. Published: June 01, 2015; 3:59:07 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-0217 |
filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. Published: June 01, 2015; 3:59:06 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-0215 |
calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. Published: June 01, 2015; 3:59:04 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2015-0214 |
message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request. Published: June 01, 2015; 3:59:03 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2015-0213 |
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary module in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allow remote attackers to hijack the authentication of unspecified victims. Published: June 01, 2015; 3:59:02 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-0212 |
Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. Published: June 01, 2015; 3:59:01 PM -0400 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2015-0211 |
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service. Published: June 01, 2015; 3:59:00 PM -0400 |
V3.x:(not available) V2.0: 4.0 MEDIUM |
CVE-2013-3630 |
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. Published: October 31, 2013; 10:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.6 MEDIUM |