| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2081 |
264 |
|
+Info |
2013-05-24 |
2013-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. |
|
2 |
CVE-2013-2080 |
264 |
|
+Info |
2013-05-24 |
2013-05-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report. |
|
3 |
CVE-2013-2079 |
264 |
|
|
2013-05-24 |
2013-05-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role. |
|
4 |
CVE-2013-1834 |
264 |
|
|
2013-03-25 |
2013-03-26 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. |
|
5 |
CVE-2013-1832 |
200 |
|
+Info |
2013-03-25 |
2013-03-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. |
|
6 |
CVE-2013-1829 |
200 |
|
+Info |
2013-03-25 |
2013-03-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role. |
|
7 |
CVE-2012-6100 |
264 |
|
|
2013-01-27 |
2013-01-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/user:viewhiddendetails capability requirement, which allows remote authenticated users to discover a hidden lastaccess value by reading an activity report. |
|
8 |
CVE-2012-6099 |
20 |
|
|
2013-01-27 |
2013-01-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. |
|
9 |
CVE-2012-6098 |
264 |
|
|
2013-01-27 |
2013-01-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. |
|
10 |
CVE-2012-5481 |
264 |
|
Bypass |
2012-11-21 |
2012-11-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page. |
|
11 |
CVE-2012-5473 |
200 |
|
+Info |
2012-11-21 |
2013-01-29 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. |
|
12 |
CVE-2012-5472 |
264 |
|
Bypass |
2012-11-21 |
2012-11-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field. |
|
13 |
CVE-2012-4402 |
264 |
|
|
2012-09-19 |
2012-10-26 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of web-service tokens, which allows remote authenticated users to run arbitrary external-service functions via a token intended for only one service. |
|
14 |
CVE-2012-4401 |
264 |
|
Bypass |
2012-09-19 |
2012-09-19 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended capability restrictions and perform certain topic changes by leveraging course-editing capabilities. |
|
15 |
CVE-2012-4400 |
264 |
|
Bypass |
2012-09-19 |
2012-10-26 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended upload-size restrictions via a -1 value in the maxbytes field. |
|
16 |
CVE-2012-3398 |
|
|
DoS |
2012-07-23 |
2012-08-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to cause a denial of service (CPU consumption) by using the advanced-search feature on a database activity that has many records. |
|
17 |
CVE-2012-3397 |
264 |
|
Bypass |
2012-07-23 |
2012-07-24 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. |
|
18 |
CVE-2012-3391 |
264 |
|
Bypass |
2012-07-23 |
2012-07-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly implement the requirement for posting before reading a Q&A forum, which allows remote authenticated users to bypass intended access restrictions by leveraging the student role and reading the RSS feed for a forum. |
|
19 |
CVE-2012-3389 |
79 |
|
XSS |
2012-07-23 |
2012-07-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in mod/lti/typessettings.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) lti_typename or (2) lti_toolurl parameter. |
|
20 |
CVE-2012-3388 |
264 |
|
Bypass |
2012-07-23 |
2012-08-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. |
|
21 |
CVE-2012-3387 |
264 |
|
Bypass |
2012-07-23 |
2012-07-24 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Moodle 2.3.x before 2.3.1 uses only a client-side check for whether references are permitted in a file upload, which allows remote authenticated users to bypass intended alias (aka shortcut) restrictions via a client that omits this check. |
|
22 |
CVE-2012-2367 |
264 |
|
Bypass |
2012-07-20 |
2012-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/calendar:manageownentries capability requirement and add a calendar entry via a New Entry action. |
|
23 |
CVE-2012-2356 |
264 |
|
Bypass |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass intended capability requirements and save questions via a save_question action. |
|
24 |
CVE-2012-2355 |
264 |
|
Bypass |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass question:use* capability requirements and add arbitrary questions to a quiz via the questions feature. |
|
25 |
CVE-2012-2354 |
264 |
|
Bypass |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL. |
|
26 |
CVE-2012-2353 |
200 |
|
+Info |
2012-07-20 |
2012-08-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to obtain sensitive user information from hidden fields by leveraging the teacher role and navigating to "Enrolled users" under the Users Settings section. |
|
27 |
CVE-2012-0799 |
200 |
|
+Info |
2012-07-17 |
2012-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page. |
|
28 |
CVE-2012-0796 |
94 |
|
|
2012-07-17 |
2012-07-17 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header. |
|
29 |
CVE-2012-0792 |
200 |
|
+Info |
2012-07-17 |
2012-07-17 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
mod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authenticated users to obtain the names and other details of arbitrary user accounts by searching for posts. |
|
30 |
CVE-2011-4593 |
200 |
|
+Info |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle user/action_redir group messages, which allows remote authenticated users to discover e-mail addresses by visiting the messaging interface. |
|
31 |
CVE-2011-4591 |
79 |
|
XSS |
2012-07-20 |
2012-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the print_object function in lib/datalib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3, when a developer debugging script is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors involving object states. |
|
32 |
CVE-2011-4590 |
287 |
|
Bypass |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The web services implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly consider the maintenance-mode state and account attributes during login attempts, which allows remote authenticated users to bypass intended access restrictions by connecting to a webservice server. |
|
33 |
CVE-2011-4584 |
264 |
|
|
2012-07-20 |
2012-07-20 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The MNET authentication functionality in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote authenticated users to impersonate other user accounts by using the Login As feature in conjunction with a remote MNET single sign-on capability, as demonstrated by a Mahara site. |
|
34 |
CVE-2011-4582 |
20 |
|
|
2012-07-20 |
2012-07-23 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Calendar set page in Moodle 2.1.x before 2.1.3 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via a redirection URL. |
|
35 |
CVE-2011-4581 |
200 |
|
+Info |
2012-07-20 |
2012-07-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 allows remote authenticated users to discover the username of a wiki creator by visiting the history and deletion user interface. |
|
36 |
CVE-2011-4308 |
264 |
|
|
2012-07-11 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
mod/forum/user.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 allows remote authenticated users to discover the names of other users via unspecified vectors. |
|
37 |
CVE-2011-4307 |
79 |
|
XSS |
2012-07-11 |
2012-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the section parameter. |
|
38 |
CVE-2011-4306 |
79 |
|
XSS |
2012-07-11 |
2012-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in course/editsection.html in Moodle 1.9.x before 1.9.14 allows remote authenticated users to inject arbitrary web script or HTML via crafted data. |
|
39 |
CVE-2011-4305 |
189 |
|
DoS |
2012-07-11 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authenticated users to cause a denial of service (infinite request loop) via a URL that specifies a zero wait time for message refreshing. |
|
40 |
CVE-2011-4304 |
200 |
|
+Info |
2012-07-11 |
2012-07-11 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to discover the name of any user via a beep operation. |
|
41 |
CVE-2011-4303 |
310 |
|
Bypass |
2012-07-11 |
2012-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
lib/db/upgrade.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not set the correct registration_hubs.secret value during installation, which allows remote attackers to bypass intended access restrictions by leveraging the hubs feature. |
|
42 |
CVE-2011-4299 |
79 |
|
XSS |
2012-07-11 |
2012-07-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via a wiki comment. |
|
43 |
CVE-2011-4292 |
89 |
|
DoS Sql |
2012-07-16 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations. |
|
44 |
CVE-2011-4291 |
|
|
DoS |
2012-07-16 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted ratings operations. |
|
45 |
CVE-2011-4290 |
79 |
|
XSS |
2012-07-16 |
2012-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in lib/weblib.php in Moodle 1.9.x before 1.9.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to URL encoding. |
|
46 |
CVE-2011-4289 |
264 |
|
+Info |
2012-07-16 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page. |
|
47 |
CVE-2011-4288 |
264 |
|
|
2012-07-16 |
2012-07-16 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role. |
|
48 |
CVE-2011-4286 |
79 |
|
XSS |
2012-07-16 |
2012-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the media-filter implementation in filter/mediaplugin/filter.php in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) Flash Video (aka FLV) files and (2) YouTube videos. |
|
49 |
CVE-2011-4282 |
79 |
|
XSS |
2012-07-16 |
2012-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the course-tags functionality in tag/coursetags_more.php in Moodle 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) sort or (2) show parameter. |
|
50 |
CVE-2011-4280 |
79 |
|
XSS |
2012-07-16 |
2012-07-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka spikephpcoverage) library, as used in Moodle 2.0.x before 2.0.2 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
