U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:moodle:moodle:3.3.1:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 74 matching records.
Displaying matches 61 through 74.
Vuln ID Summary CVSS Severity
CVE-2018-1082

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

Published: April 04, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.0: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-1081

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.

Published: April 04, 2018; 5:29:00 PM -0400
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2018-1045

In Moodle 3.x, there is XSS via a calendar event name.

Published: January 22, 2018; 3:29:00 AM -0500
V4.0:(not available)
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2018-1044

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

Published: January 22, 2018; 3:29:00 AM -0500
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-1043

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

Published: January 22, 2018; 3:29:00 AM -0500
V4.0:(not available)
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-1042

Moodle 3.x has Server Side Request Forgery in the filepicker.

Published: January 22, 2018; 3:29:00 AM -0500
V4.0:(not available)
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-15110

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

Published: November 20, 2017; 9:29:00 AM -0500
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-12157

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

Published: September 18, 2017; 12:29:00 AM -0400
V4.0:(not available)
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-12156

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

Published: September 18, 2017; 12:29:00 AM -0400
V4.0:(not available)
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2017-7532

In Moodle 3.x, course creators are able to change system default settings for courses.

Published: July 17, 2017; 1:29:00 PM -0400
V4.0:(not available)
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-2642

Moodle 3.x has user fullname disclosure on the user preferences page.

Published: July 17, 2017; 1:29:00 PM -0400
V4.0:(not available)
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2010-4208

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf.

Published: November 07, 2010; 5:00:03 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2010-4207

Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.

Published: November 07, 2010; 5:00:03 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2007-6538

SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: December 27, 2007; 6:46:00 PM -0500
V4.0:(not available)
V3.x:(not available)
V2.0: 7.5 HIGH