Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Moodle Subscribe
Filtered by product Moodle
Total 494 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14884 1 Moodle 1 Moodle 2020-03-19 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.
CVE-2012-1155 4 Debian, Fedoraproject, Moodle and 1 more 4 Debian Linux, Fedora, Moodle and 1 more 2019-11-22 5.0 MEDIUM 7.5 HIGH
Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to
CVE-2012-1156 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2019-11-22 5.0 MEDIUM 7.5 HIGH
Moodle before 2.2.2 has users' private files included in course backups
CVE-2012-1168 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2019-11-22 6.4 MEDIUM 8.2 HIGH
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.
CVE-2012-1158 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-18 4.0 MEDIUM 4.3 MEDIUM
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
CVE-2012-1157 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-18 4.0 MEDIUM 4.3 MEDIUM
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
CVE-2012-1160 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-18 4.0 MEDIUM 2.7 LOW
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php
CVE-2012-1169 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-18 5.0 MEDIUM 5.3 MEDIUM
Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.
CVE-2012-1159 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-15 4.0 MEDIUM 4.3 MEDIUM
Moodle before 2.2.2: Overview report allows users to see hidden courses
CVE-2012-1161 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-15 4.0 MEDIUM 4.3 MEDIUM
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
CVE-2012-1170 2 Fedoraproject, Moodle 2 Fedora, Moodle 2019-11-15 5.0 MEDIUM 7.5 HIGH
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
CVE-2019-3850 1 Moodle 1 Moodle 2019-10-09 5.8 MEDIUM 6.1 MEDIUM
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.
CVE-2019-3809 1 Moodle 1 Moodle 2019-10-09 7.5 HIGH 10.0 CRITICAL
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
CVE-2019-10133 1 Moodle 1 Moodle 2019-10-09 5.8 MEDIUM 6.1 MEDIUM
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2018-1082 1 Moodle 1 Moodle 2019-10-09 6.8 MEDIUM 8.1 HIGH
A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.
CVE-2018-16854 1 Moodle 1 Moodle 2019-10-09 6.8 MEDIUM 8.8 HIGH
A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.
CVE-2018-14630 1 Moodle 1 Moodle 2019-10-09 6.5 MEDIUM 8.8 HIGH
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
CVE-2018-14631 1 Moodle 1 Moodle 2019-10-09 4.3 MEDIUM 6.1 MEDIUM
moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.
CVE-2018-10890 1 Moodle 1 Moodle 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.
CVE-2018-10889 1 Moodle 1 Moodle 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.