Total
494 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14322 | 1 Moodle | 1 Moodle | 2022-12-06 | N/A | 7.5 HIGH |
| In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. | |||||
| CVE-2021-32476 | 1 Moodle | 1 Moodle | 2022-12-02 | 5.0 MEDIUM | 7.5 HIGH |
| A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2021-32472 | 1 Moodle | 1 Moodle | 2022-12-02 | 2.6 LOW | 4.3 MEDIUM |
| Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. | |||||
| CVE-2022-2986 | 1 Moodle | 1 Moodle | 2022-11-09 | N/A | 8.8 HIGH |
| Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | |||||
| CVE-2020-25699 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2022-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2019-3847 | 1 Moodle | 1 Moodle | 2022-11-07 | 3.5 LOW | 4.8 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. | |||||
| CVE-2019-3848 | 1 Moodle | 1 Moodle | 2022-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.) | |||||
| CVE-2019-3810 | 1 Moodle | 1 Moodle | 2022-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. | |||||
| CVE-2021-32478 | 1 Moodle | 1 Moodle | 2022-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. | |||||
| CVE-2021-20185 | 1 Moodle | 1 Moodle | 2022-10-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. | |||||
| CVE-2021-20187 | 1 Moodle | 1 Moodle | 2022-10-21 | 6.5 MEDIUM | 7.2 HIGH |
| It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | |||||
| CVE-2020-25629 | 1 Moodle | 1 Moodle | 2022-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. | |||||
| CVE-2022-40313 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-10-04 | N/A | 7.1 HIGH |
| Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load. | |||||
| CVE-2022-40316 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-10-04 | N/A | 4.3 MEDIUM |
| The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. | |||||
| CVE-2022-40315 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2022-10-04 | N/A | 9.8 CRITICAL |
| A limited SQL injection risk was identified in the "browse list of users" site administration page. | |||||
| CVE-2022-40314 | 1 Moodle | 1 Moodle | 2022-10-04 | N/A | 9.8 CRITICAL |
| A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. | |||||
| CVE-2021-40692 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| Insufficient capability checks made it possible for teachers to download users outside of their courses. | |||||
| CVE-2021-40693 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 6.5 MEDIUM |
| An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability. | |||||
| CVE-2021-40694 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.9 MEDIUM |
| Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. | |||||
| CVE-2021-40695 | 1 Moodle | 1 Moodle | 2022-10-03 | N/A | 4.3 MEDIUM |
| It was possible for a student to view their quiz grade before it had been released, using a quiz web service. | |||||