Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Moodle Subscribe
Total 495 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-10890 1 Moodle 1 Moodle 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.
CVE-2018-1134 1 Moodle 1 Moodle 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.
CVE-2017-7490 1 Moodle 1 Moodle 2019-10-02 5.0 MEDIUM 5.3 MEDIUM
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
CVE-2018-1136 1 Moodle 1 Moodle 2019-10-02 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.
CVE-2017-7532 1 Moodle 1 Moodle 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
In Moodle 3.x, course creators are able to change system default settings for courses.
CVE-2017-7489 1 Moodle 1 Moodle 2019-10-02 6.5 MEDIUM 6.3 MEDIUM
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVE-2018-1043 1 Moodle 1 Moodle 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.
CVE-2018-1042 1 Moodle 1 Moodle 2019-07-27 4.0 MEDIUM 6.5 MEDIUM
Moodle 3.x has Server Side Request Forgery in the filepicker.
CVE-2019-6970 1 Moodle 1 Moodle 2019-03-22 6.0 MEDIUM 7.5 HIGH
Moodle 3.5.x before 3.5.4 allows SSRF.
CVE-2008-6124 2 Debian, Moodle 2 Debian Linux, Moodle 2018-11-08 7.5 HIGH N/A
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt.
CVE-2008-6125 2 Debian, Moodle 2 Debian Linux, Moodle 2018-11-08 6.5 MEDIUM N/A
Unspecified vulnerability in the user editing interface in Moodle 1.5.x, 1.6 before 1.6.6, and 1.7 before 1.7.3 allows remote authenticated users to gain privileges via unknown vectors.
CVE-2008-3325 2 Debian, Moodle 2 Debian Linux, Moodle 2018-11-01 6.0 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.
CVE-2006-0147 5 John Lim, Mantis, Moodle and 2 more 5 Adodb, Mantis, Moodle and 2 more 2018-10-19 7.5 HIGH N/A
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
CVE-2006-0146 6 John Lim, Mantis, Mediabeez and 3 more 6 Adodb, Mantis, Mediabeez and 3 more 2018-10-19 7.5 HIGH N/A
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
CVE-2006-5219 1 Moodle 1 Moodle 2018-10-17 5.1 MEDIUM N/A
SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter.
CVE-2006-4785 1 Moodle 1 Moodle 2018-10-17 7.5 HIGH N/A
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls _adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php), which does not convert the data type to an int.
CVE-2007-1429 1 Moodle 1 Moodle 2018-10-16 7.5 HIGH N/A
Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php.
CVE-2008-0123 1 Moodle 1 Moodle 2018-10-15 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete.
CVE-2007-6538 2 Moodle, Mrbs 2 Moodle, Mrbs 2018-10-15 7.5 HIGH N/A
SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-3555 1 Moodle 1 Moodle 2018-10-15 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in index.php in Moodle 1.7.1 allows remote attackers to inject arbitrary web script or HTML via a style expression in the search parameter, a different vulnerability than CVE-2004-1424.