The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.
Max CVSS
5.8
EPSS Score
0.16%
Published
2012-07-16
Updated
2020-12-01
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value.
Max CVSS
5.8
EPSS Score
0.09%
Published
2013-09-16
Updated
2020-12-01
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php.
Max CVSS
5.8
EPSS Score
0.15%
Published
2013-01-27
Updated
2020-12-01
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner.
Max CVSS
5.8
EPSS Score
0.25%
Published
2014-03-24
Updated
2020-12-01
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header.
Max CVSS
5.8
EPSS Score
0.35%
Published
2015-06-01
Updated
2020-12-01
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
Max CVSS
5.8
EPSS Score
0.08%
Published
2017-01-20
Updated
2020-12-01
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
Max CVSS
5.8
EPSS Score
0.08%
Published
2017-01-20
Updated
2020-12-01
The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role.
Max CVSS
5.5
EPSS Score
0.25%
Published
2012-07-16
Updated
2020-12-01
lib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 assigns incorrect capabilities to the course-creator role, which allows remote authenticated users to modify course filters by leveraging this role.
Max CVSS
5.5
EPSS Score
0.25%
Published
2012-07-16
Updated
2023-02-13
backup/moodle2/restore_stepslib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not check for the moodle/course:changeidnumber privilege during handling of course ID numbers, which allows remote authenticated users to overwrite ID numbers via a restore action.
Max CVSS
5.5
EPSS Score
0.24%
Published
2012-07-20
Updated
2020-12-01
The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token.
Max CVSS
5.5
EPSS Score
0.13%
Published
2012-07-17
Updated
2020-12-01
The self-enrolment functionality in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 allows remote authenticated users to obtain the manager role by leveraging the teacher role.
Max CVSS
5.5
EPSS Score
0.12%
Published
2012-07-17
Updated
2020-12-01
Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist.
Max CVSS
5.5
EPSS Score
0.16%
Published
2012-07-21
Updated
2020-12-01
mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not properly iterate through an array, which allows remote authenticated users to overwrite arbitrary database activity presets via unspecified vectors.
Max CVSS
5.5
EPSS Score
0.18%
Published
2012-07-21
Updated
2020-12-01
mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not consider whether a forum is optional, which allows remote authenticated users to bypass forum-subscription requirements by leveraging the student role and unsubscribing from all forums.
Max CVSS
5.5
EPSS Score
0.34%
Published
2012-07-23
Updated
2020-12-01
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation.
Max CVSS
5.5
EPSS Score
0.10%
Published
2012-09-19
Updated
2020-12-01
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object.
Max CVSS
5.5
EPSS Score
0.19%
Published
2013-01-27
Updated
2020-12-01
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.
Max CVSS
5.5
EPSS Score
0.30%
Published
2014-01-20
Updated
2020-12-01
mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki.
Max CVSS
5.5
EPSS Score
0.24%
Published
2014-11-24
Updated
2020-12-01
The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.
Max CVSS
5.5
EPSS Score
0.15%
Published
2016-02-22
Updated
2020-12-01
A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked (where applicable).
Max CVSS
5.5
EPSS Score
0.06%
Published
2020-01-07
Updated
2020-03-31
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
Max CVSS
5.5
EPSS Score
0.05%
Published
2022-01-25
Updated
2022-12-21
Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description.
Max CVSS
5.4
EPSS Score
0.11%
Published
2016-02-22
Updated
2020-12-01
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.
Max CVSS
5.4
EPSS Score
0.07%
Published
2016-02-22
Updated
2020-12-01
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element.
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-03-29
Updated
2018-05-18
118 vulnerabilities found
1 2 3 4 5
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!