Filtered by vendor Moodle
Subscribe
Total
504 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14828 | 1 Moodle | 1 Moodle | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. | |||||
| CVE-2020-25702 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. | |||||
| CVE-2021-20183 | 1 Moodle | 1 Moodle | 2024-02-04 | 4.3 MEDIUM | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. | |||||
| CVE-2021-20280 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2020-25630 | 1 Moodle | 1 Moodle | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2020-25627 | 1 Moodle | 1 Moodle | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2. | |||||
| CVE-2021-20187 | 1 Moodle | 1 Moodle | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
| CVE-2020-25701 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2019-14829 | 1 Moodle | 1 Moodle | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. | |||||
| CVE-2021-20279 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2021-20186 | 1 Moodle | 1 Moodle | 2024-02-04 | 2.1 LOW | 5.4 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. | |||||
| CVE-2019-14830 | 1 Moodle | 1 Moodle | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app"). | |||||
| CVE-2020-25699 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2020-25700 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2020-25698 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2021-20185 | 1 Moodle | 1 Moodle | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |||||
| CVE-2020-25629 | 1 Moodle | 1 Moodle | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2021-20283 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||
| CVE-2019-14831 | 1 Moodle | 1 Moodle | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect. | |||||
| CVE-2021-20281 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. | |||||