|
Moodle : Security Vulnerabilities (CVSS score between 2 and 2.99)
# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-32472 |
862 |
|
|
2022-03-11 |
2022-12-02 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. |
2 |
CVE-2021-20186 |
79 |
|
XSS |
2021-01-28 |
2021-02-01 |
2.1 |
None |
Remote |
High |
??? |
Partial |
None |
None |
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
3 |
CVE-2014-7835 |
79 |
|
XSS |
2014-11-24 |
2020-12-01 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. |
4 |
CVE-2012-2362 |
79 |
|
XSS |
2012-07-21 |
2020-12-01 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog implementation in Moodle 1.9.x before 1.9.18, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted parameter to blog/index.php. |
5 |
CVE-2012-0800 |
200 |
|
+Info |
2012-07-17 |
2020-12-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device. |
6 |
CVE-2008-3326 |
79 |
|
XSS |
2008-07-25 |
2020-12-01 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title). |
7 |
CVE-2005-3649 |
|
|
|
2005-11-17 |
2016-10-18 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
jumpto.php in Moodle 1.5.2 allows remote attackers to redirect users to other sites via the jump parameter. |
Total number of vulnerabilities : 7
Page :
1
(This Page)
|
|
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE's CVE web site.
CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE's CWE web site.
OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.