Filtered by vendor Moodle
Subscribe
Total
495 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-3272 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.8 MEDIUM | 7.4 HIGH |
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. | |||||
CVE-2015-3174 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. | |||||
CVE-2015-3180 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. | |||||
CVE-2015-3175 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.8 MEDIUM | N/A |
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. | |||||
CVE-2016-2154 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule. | |||||
CVE-2014-7830 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. | |||||
CVE-2014-3553 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.9 MEDIUM | N/A |
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. | |||||
CVE-2015-3179 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account. | |||||
CVE-2015-3274 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service. | |||||
CVE-2016-2155 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role. | |||||
CVE-2015-5268 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value. | |||||
CVE-2014-3547 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge. | |||||
CVE-2014-3546 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. | |||||
CVE-2015-3181 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked. | |||||
CVE-2015-3176 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. | |||||
CVE-2015-2268 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.8 MEDIUM | N/A |
filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. | |||||
CVE-2014-3544 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. | |||||
CVE-2015-2269 | 1 Moodle | 1 Moodle | 2020-12-01 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. | |||||
CVE-2014-3545 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.0 MEDIUM | N/A |
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. | |||||
CVE-2015-2270 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. |