Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Moodle Subscribe
Filtered by product Moodle
Total 433 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-20280 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-11-30 3.5 LOW 5.4 MEDIUM
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2021-43559 2 Fedoraproject, Moodle 3 Fedora, Fedora Extra Packages For Enterprise Linux, Moodle 2021-11-26 6.8 MEDIUM 8.8 HIGH
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
CVE-2021-43558 2 Fedoraproject, Moodle 3 Fedora, Fedora Extra Packages For Enterprise Linux, Moodle 2021-11-26 4.3 MEDIUM 6.1 MEDIUM
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
CVE-2021-43560 2 Fedoraproject, Moodle 3 Fedora, Fedora Extra Packages For Enterprise Linux, Moodle 2021-11-26 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
CVE-2021-3943 1 Moodle 1 Moodle 2021-11-23 7.5 HIGH 9.8 CRITICAL
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
CVE-2019-3810 1 Moodle 1 Moodle 2021-11-04 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
CVE-2019-3847 1 Moodle 1 Moodle 2021-11-02 3.5 LOW 4.8 MEDIUM
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
CVE-2019-3848 1 Moodle 1 Moodle 2021-11-02 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
CVE-2019-10134 1 Moodle 1 Moodle 2021-10-28 4.3 MEDIUM 3.7 LOW
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2020-25703 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-10-19 5.0 MEDIUM 5.3 MEDIUM
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
CVE-2020-25699 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-10-19 5.0 MEDIUM 7.5 HIGH
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
CVE-2013-3630 1 Moodle 1 Moodle 2021-10-12 4.6 MEDIUM N/A
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
CVE-2013-4341 1 Moodle 1 Moodle 2021-10-12 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed.
CVE-2021-21809 1 Moodle 1 Moodle 2021-10-12 9.0 HIGH 9.1 CRITICAL
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-32244 1 Moodle 1 Moodle 2021-06-21 3.5 LOW 5.4 MEDIUM
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2019-14827 1 Moodle 1 Moodle 2021-06-01 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
CVE-2021-20282 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-03-23 5.0 MEDIUM 5.3 MEDIUM
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2021-20283 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-03-23 4.0 MEDIUM 4.3 MEDIUM
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2021-20281 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-03-23 5.0 MEDIUM 5.3 MEDIUM
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2021-20279 2 Fedoraproject, Moodle 2 Fedora, Moodle 2021-03-23 3.5 LOW 5.4 MEDIUM
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.