Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Moodle
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-28593 |
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle." Published: March 22, 2024; 11:15:15 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-29374 |
A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter. Published: March 21, 2024; 3:15:09 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1439 |
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent. Published: February 12, 2024; 6:15:08 AM -0500 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-5550 |
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. Published: November 09, 2023; 3:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-46858 |
Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." Published: October 28, 2023; 9:15:41 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-35133 |
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. Published: June 22, 2023; 5:15:09 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-35132 |
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. Published: June 22, 2023; 5:15:09 PM -0400 |
V3.1: 6.3 MEDIUM V2.0:(not available) |
CVE-2023-35131 |
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. Published: June 22, 2023; 5:15:09 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2021-27131 |
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript). Published: May 16, 2023; 4:15:08 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-30944 |
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database. Published: May 02, 2023; 4:15:11 PM -0400 |
V3.1: 7.3 HIGH V2.0:(not available) |
CVE-2023-30943 |
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Published: May 02, 2023; 4:15:10 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-40208 |
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. Published: March 24, 2023; 4:15:08 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-28333 |
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS). Published: March 23, 2023; 5:15:20 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2021-36403 |
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. Published: March 06, 2023; 6:15:10 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36402 |
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. Published: March 06, 2023; 6:15:10 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36401 |
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Published: March 06, 2023; 5:15:09 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2021-36400 |
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. Published: March 06, 2023; 5:15:09 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36399 |
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. Published: March 06, 2023; 5:15:09 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-36398 |
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. Published: March 06, 2023; 5:15:09 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-36397 |
In Moodle, insufficient capability checks meant message deletions were not limited to the current user. Published: March 06, 2023; 5:15:09 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |