U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:moodle:moodle:2.6.1
There are 158 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2015-5338

Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.

Published: February 22, 2016; 12:59:16 AM -0500
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2015-5337

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

Published: February 22, 2016; 12:59:15 AM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-5336

Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.

Published: February 22, 2016; 12:59:14 AM -0500
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2015-5335

Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.

Published: February 22, 2016; 12:59:13 AM -0500
V3.0: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-5269

Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.

Published: February 22, 2016; 12:59:09 AM -0500
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2015-5268

The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value.

Published: February 22, 2016; 12:59:08 AM -0500
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2015-5267

lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

Published: February 22, 2016; 12:59:07 AM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2015-5266

The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.

Published: February 22, 2016; 12:59:06 AM -0500
V3.0: 6.8 MEDIUM
V2.0: 4.9 MEDIUM
CVE-2015-5265

The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor.

Published: February 22, 2016; 12:59:05 AM -0500
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2015-5264

The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.

Published: February 22, 2016; 12:59:04 AM -0500
V3.0: 5.4 MEDIUM
V2.0: 5.5 MEDIUM
CVE-2015-3275

Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1) mod/scorm/player.php or (2) mod/scorm/prereqs.php.

Published: February 22, 2016; 12:59:03 AM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-3274

Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service.

Published: February 22, 2016; 12:59:02 AM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-3272

Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.

Published: February 22, 2016; 12:59:00 AM -0500
V3.0: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2015-3181

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked.

Published: June 01, 2015; 3:59:23 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2015-3180

lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment.

Published: June 01, 2015; 3:59:22 PM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2015-3179

login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account.

Published: June 01, 2015; 3:59:22 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2015-3178

Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services.

Published: June 01, 2015; 3:59:21 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2015-3176

The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register.

Published: June 01, 2015; 3:59:19 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-3175

Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header.

Published: June 01, 2015; 3:59:18 PM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2015-3174

mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading.

Published: June 01, 2015; 3:59:17 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW