Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter.
Max CVSS
5.0
EPSS Score
0.32%
Published
2004-12-31
Updated
2020-12-01
Moodle 1.6.1 and earlier allows remote attackers to obtain sensitive information via (1) help.php and (2) other unspecified vectors involving scheduled backups.
Max CVSS
5.0
EPSS Score
1.04%
Published
2006-09-14
Updated
2017-07-20
backup/backup_scheduled.php in Moodle before 1.6.2 generates trace data with the full backup pathname even when debugging is disabled, which might allow attackers to obtain the pathname.
Max CVSS
5.0
EPSS Score
0.07%
Published
2006-09-23
Updated
2020-12-01
login/forgot_password.php in Moodle before 1.6.2 allows remote attackers to obtain sensitive information (e-mail addresses and Moodle account names) via a find action.
Max CVSS
5.0
EPSS Score
0.13%
Published
2006-09-23
Updated
2020-12-01
course/jumpto.php in Moodle before 1.6.2 does not validate the session key (sesskey) before providing content from arbitrary local URIs, which allows remote attackers to obtain sensitive information via the jump parameter.
Max CVSS
5.0
EPSS Score
0.13%
Published
2006-09-23
Updated
2020-12-01
SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter.
Max CVSS
5.1
EPSS Score
3.34%
Published
2006-10-10
Updated
2018-10-17
Unspecified vulnerability in the Calendar export feature in Moodle 1.8 before 1.8.8 and 1.9 before 1.9.4 allows attackers to obtain sensitive information and conduct "brute force attacks on user accounts" via unknown vectors.
Max CVSS
5.0
EPSS Score
0.18%
Published
2009-02-10
Updated
2020-12-01
The LAMS module (mod/lams) for Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores the (1) username, (2) firstname, and (3) lastname fields within the user table, which allows attackers to obtain user account information via unknown vectors.
Max CVSS
5.0
EPSS Score
0.24%
Published
2009-12-16
Updated
2020-12-01
mod/glossary/showentry.php in the Glossary module for Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not properly perform access control, which allows attackers to read unauthorized Glossary entries via unknown vectors.
Max CVSS
5.0
EPSS Score
0.24%
Published
2009-12-16
Updated
2020-12-01
Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the user table, even when the cached hashes are not used by the plugin, which might make it easier for attackers to obtain credentials via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.23%
Published
2009-12-16
Updated
2020-12-01
login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing.
Max CVSS
5.0
EPSS Score
0.29%
Published
2009-12-16
Updated
2020-12-01
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hashes and (2) unspecified "secrets" in backup files, which might allow attackers to obtain sensitive information.
Max CVSS
5.0
EPSS Score
0.24%
Published
2009-12-16
Updated
2020-12-01
Moodle 2.0.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by webservice/xmlrpc/locallib.php and certain other files.
Max CVSS
5.0
EPSS Score
0.24%
Published
2011-09-23
Updated
2012-03-12
CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable.
Max CVSS
5.0
EPSS Score
0.19%
Published
2011-12-22
Updated
2020-12-01
Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista.
Max CVSS
5.0
EPSS Score
0.31%
Published
2012-07-16
Updated
2020-12-01
Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterprise enrolment file in the course-files area, which allows remote attackers to obtain sensitive information via a request for imsenterprise-enrol.xml.
Max CVSS
5.0
EPSS Score
0.31%
Published
2012-07-16
Updated
2020-12-01
Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile (aka My profile) block by visiting a user-context page.
Max CVSS
5.0
EPSS Score
0.31%
Published
2012-07-16
Updated
2020-12-01
The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role.
Max CVSS
5.5
EPSS Score
0.25%
Published
2012-07-16
Updated
2020-12-01
The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.
Max CVSS
5.8
EPSS Score
0.16%
Published
2012-07-16
Updated
2020-12-01
lib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 assigns incorrect capabilities to the course-creator role, which allows remote authenticated users to modify course filters by leveraging this role.
Max CVSS
5.5
EPSS Score
0.25%
Published
2012-07-16
Updated
2023-02-13
The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file.
Max CVSS
5.0
EPSS Score
0.29%
Published
2012-07-11
Updated
2023-02-13
The MoodleQuickForm class in the Forms Library in lib/formslib.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields.
Max CVSS
5.0
EPSS Score
0.33%
Published
2012-07-11
Updated
2023-02-13
Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to bypass intended access restrictions and perform global searches by leveraging the guest role and making a direct request to a URL.
Max CVSS
5.0
EPSS Score
0.23%
Published
2012-07-11
Updated
2023-02-13
login/change_password.php in Moodle 1.9.x before 1.9.15 does not use https for the change-password form even if the httpslogin option is enabled, which allows remote attackers to obtain credentials by sniffing the network.
Max CVSS
5.0
EPSS Score
0.36%
Published
2012-07-20
Updated
2023-02-13
CRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.31%
Published
2012-07-20
Updated
2023-02-13
118 vulnerabilities found
1 2 3 4 5
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!