# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2018-1045 |
79 |
|
XSS |
2018-01-22 |
2018-02-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
In Moodle 3.x, there is XSS via a calendar event name. |
2 |
CVE-2017-7298 |
79 |
|
XSS |
2017-03-29 |
2018-05-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. |
3 |
CVE-2015-5336 |
79 |
|
XSS |
2016-02-22 |
2016-03-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer. |
4 |
CVE-2015-5269 |
79 |
|
XSS |
2016-02-22 |
2017-09-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to inject arbitrary web script or HTML via a modified grouping description. |
5 |
CVE-2015-3179 |
264 |
|
Bypass |
2015-06-01 |
2016-12-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account. |
6 |
CVE-2015-3178 |
79 |
|
XSS |
2015-06-01 |
2016-12-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services. |
7 |
CVE-2015-3177 |
17 |
|
+Info |
2015-06-01 |
2016-12-30 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request. |
8 |
CVE-2015-3174 |
79 |
|
XSS |
2015-06-01 |
2016-12-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. |
9 |
CVE-2015-2273 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response. |
10 |
CVE-2015-2269 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. |
11 |
CVE-2015-0216 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted essay feedback. |
12 |
CVE-2015-0212 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. |
13 |
CVE-2014-7830 |
79 |
|
XSS |
2014-11-24 |
2015-09-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. |
14 |
CVE-2014-3551 |
79 |
|
XSS |
2014-07-29 |
2015-10-08 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. |
15 |
CVE-2014-3544 |
79 |
1
|
XSS |
2014-07-29 |
2015-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. |
16 |
CVE-2014-2571 |
79 |
|
XSS |
2014-03-24 |
2014-03-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question. |
17 |
CVE-2013-4525 |
79 |
|
XSS |
2013-11-26 |
2013-11-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via an answer to a text-based quiz question. |
18 |
CVE-2013-4523 |
79 |
|
XSS |
2013-11-26 |
2013-11-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted message. |
19 |
CVE-2013-1835 |
200 |
|
+Info |
2013-03-25 |
2013-12-05 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. |
20 |
CVE-2013-1833 |
79 |
|
XSS |
2013-03-25 |
2013-12-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
21 |
CVE-2012-3396 |
79 |
|
XSS |
2012-07-23 |
2017-11-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. |
22 |
CVE-2012-3393 |
79 |
|
XSS |
2012-07-23 |
2017-11-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in repository/lib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 allows remote authenticated administrators to inject arbitrary web script or HTML by renaming a repository. |
23 |
CVE-2012-3390 |
264 |
|
+Info |
2012-07-23 |
2017-11-30 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly restrict file access after a block has been hidden, which allows remote authenticated users to obtain sensitive information by reading a file that is embedded in a block. |
24 |
CVE-2012-2365 |
79 |
|
XSS |
2012-07-20 |
2012-10-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the idnumber field to cohort/edit.php. |
25 |
CVE-2012-2364 |
79 |
|
XSS |
2012-07-20 |
2012-07-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. |
26 |
CVE-2012-2361 |
79 |
|
XSS |
2012-07-20 |
2012-07-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php in the web services implementation in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the name field (aka the service name) to admin/webservice/service.php. |
27 |
CVE-2012-2360 |
79 |
|
XSS |
2012-07-20 |
2012-07-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted string that is inserted into a page title. |