| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-0801 |
20 |
|
|
2012-07-17 |
2012-07-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
lib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 does not properly handle multiple instances of a form element, which has unspecified impact and remote attack vectors. |
|
2 |
CVE-2010-1615 |
89 |
|
Exec Code Sql |
2010-04-29 |
2010-05-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php. |
|
3 |
CVE-2009-4304 |
255 |
|
|
2009-12-15 |
2009-12-17 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random password salt in config.php, which makes it easier for attackers to conduct brute-force password guessing attacks. |
|
4 |
CVE-2008-6124 |
89 |
|
Exec Code Sql |
2009-02-12 |
2009-02-13 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt. |
|
5 |
CVE-2007-6538 |
89 |
|
Exec Code Sql |
2007-12-27 |
2008-11-15 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
6 |
CVE-2007-1647 |
|
1
|
+Info |
2007-03-23 |
2008-11-13 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/. |
|
7 |
CVE-2007-1429 |
|
|
Exec Code File Inclusion |
2007-03-12 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php. |
|
8 |
CVE-2006-4785 |
89 |
|
Exec Code Sql |
2006-09-14 |
2011-08-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls _adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php), which does not convert the data type to an int. |
|
9 |
CVE-2006-0147 |
|
|
Exec Code |
2006-01-09 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo. |
|
10 |
CVE-2006-0146 |
89 |
|
Exec Code Sql |
2006-01-09 |
2011-06-14 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. |
|
11 |
CVE-2005-3648 |
|
|
Exec Code Sql |
2005-11-17 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php. |
|
12 |
CVE-2004-2234 |
|
|
|
2004-12-31 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unknown vulnerability in Moodle before 1.2 allows teachers to log in as administrators. |
|
13 |
CVE-2004-2232 |
|
|
Sql |
2004-12-31 |
2008-09-10 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements. |
