Download
| Alert*
|
CVE-2017-12157
In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access. CVE-2017-12156 Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback. CVE-2017-15110 In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. CVE-2017-2578 In Moodle 3.x, there is XSS in the assignment submission page. CVE-2017-2642 Moodle 3.x has user fullname disclosure on the user preferences page. CVE-2017-2643 In Moodle 3.2.x, global search displays user names for unauthenticated users. CVE-2017-2644 In Moodle 3.x, XSS can occur via evidence of prior learning. CVE-2017-2645 In Moodle 3.x, XSS can occur via attachments to evidence of prior learning. CVE-2017-2641 In Moodle 2.x and 3.x, SQL injection can occur via user preferences. CVE-2017-7489 In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. CVE-2017-7532 In Moodle 3.x, course creators are able to change system default settings for courses. CVE-2017-7491 In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. CVE-2017-7490 In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. CVE-2018-1133 An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection. CVE-2018-1135 An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL. CVE-2018-1134 An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL. CVE-2018-1137 An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. CVE-2018-1136 An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other ... CVE-2018-1081 A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified ... CVE-2019-10154 A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations. CVE-2019-3849 A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. CVE-2019-3848 A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users ... CVE-2019-3852 A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities |
