Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:moodle:moodle:2.7.12:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-38276 |
Incorrect CSRF token checks resulted in multiple CSRF risks. Published: June 18, 2024; 4:15:14 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2024-1439 |
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent. Published: February 12, 2024; 6:15:08 AM -0500 |
V4.0:(not available) V3.1: 3.3 LOW V2.0:(not available) |
CVE-2023-5551 |
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. Published: November 09, 2023; 3:15:11 PM -0500 |
V4.0:(not available) V3.1: 3.3 LOW V2.0:(not available) |
CVE-2023-5550 |
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. Published: November 09, 2023; 3:15:10 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-5549 |
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Published: November 09, 2023; 3:15:10 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-5548 |
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Published: November 09, 2023; 3:15:10 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-5545 |
H5P metadata automatically populated the author with the user's username, which could be sensitive information. Published: November 09, 2023; 3:15:09 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-5540 |
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Published: November 09, 2023; 3:15:09 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-5539 |
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Published: November 09, 2023; 3:15:08 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-35133 |
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. Published: June 22, 2023; 5:15:09 PM -0400 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-35132 |
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. Published: June 22, 2023; 5:15:09 PM -0400 |
V4.0:(not available) V3.1: 6.3 MEDIUM V2.0:(not available) |
CVE-2021-36403 |
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. Published: March 06, 2023; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36402 |
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. Published: March 06, 2023; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36401 |
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Published: March 06, 2023; 5:15:09 PM -0500 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2021-36400 |
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. Published: March 06, 2023; 5:15:09 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36397 |
In Moodle, insufficient capability checks meant message deletions were not limited to the current user. Published: March 06, 2023; 5:15:09 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2021-36396 |
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. Published: March 06, 2023; 4:15:10 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2021-36395 |
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. Published: March 06, 2023; 4:15:10 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2021-36394 |
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. Published: March 06, 2023; 4:15:10 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2021-36393 |
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. Published: March 06, 2023; 4:15:10 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |