| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-10890 |
200 |
|
+Info |
2018-07-10 |
2018-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. |
|
2 |
CVE-2018-10889 |
532 |
|
|
2018-07-10 |
2018-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. |
|
3 |
CVE-2018-1137 |
20 |
|
|
2018-05-25 |
2018-06-25 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. |
|
4 |
CVE-2018-1081 |
388 |
|
|
2018-04-04 |
2018-07-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
|
5 |
CVE-2017-7490 |
264 |
|
|
2017-05-15 |
2017-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. |
|
6 |
CVE-2017-2643 |
200 |
|
+Info |
2017-03-26 |
2017-07-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 3.2.x, global search displays user names for unauthenticated users. |
|
7 |
CVE-2017-2576 |
20 |
|
|
2017-01-20 |
2017-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. |
|
8 |
CVE-2016-8644 |
264 |
|
|
2017-01-20 |
2017-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. |
|
9 |
CVE-2016-8642 |
284 |
|
|
2017-01-20 |
2017-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
|
10 |
CVE-2016-7919 |
89 |
|
Sql +Info |
2016-10-28 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields." |
|
11 |
CVE-2016-7038 |
640 |
|
|
2017-01-20 |
2017-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. |
|
12 |
CVE-2016-5014 |
200 |
|
+Info |
2017-01-20 |
2017-01-25 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. |
|
13 |
CVE-2016-5013 |
74 |
|
|
2017-01-20 |
2017-01-25 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. |
|
14 |
CVE-2016-5012 |
200 |
|
+Info |
2017-01-20 |
2017-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Moodle 3.x, glossary search displays entries without checking user permissions to view them. |
|
15 |
CVE-2016-3731 |
200 |
|
+Info |
2017-04-20 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. |
|
16 |
CVE-2016-2190 |
264 |
|
+Info |
2016-05-22 |
2017-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
|
17 |
CVE-2015-5267 |
254 |
|
|
2016-02-22 |
2017-09-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |
|
18 |
CVE-2015-5264 |
264 |
|
Bypass |
2016-02-22 |
2017-09-16 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role. |
|
19 |
CVE-2015-3272 |
|
|
|
2016-02-22 |
2017-09-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. |
|
20 |
CVE-2015-3175 |
|
|
|
2015-06-01 |
2016-12-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. |
|
21 |
CVE-2014-9060 |
20 |
|
|
2014-11-24 |
2015-09-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php. |
|
22 |
CVE-2014-7848 |
200 |
|
+Info |
2014-11-24 |
2015-09-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. |
|
23 |
CVE-2014-7847 |
399 |
|
DoS |
2014-11-24 |
2015-09-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. |
|
24 |
CVE-2014-7837 |
264 |
|
|
2014-11-24 |
2015-09-03 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki. |
|
25 |
CVE-2014-3546 |
264 |
|
+Info |
2014-07-29 |
2014-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. |
|
26 |
CVE-2014-0216 |
264 |
|
+Info |
2014-05-26 |
2014-05-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
|
27 |
CVE-2014-0125 |
264 |
|
Bypass |
2014-03-24 |
2014-03-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. |
|
28 |
CVE-2014-0009 |
264 |
|
|
2014-01-20 |
2014-02-21 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. |
|
29 |
CVE-2013-4522 |
200 |
|
+Info |
2013-11-26 |
2013-11-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server. |
|
30 |
CVE-2013-2083 |
20 |
|
Bypass |
2013-05-24 |
2013-11-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. |
|
31 |
CVE-2013-2082 |
264 |
|
+Info |
2013-05-24 |
2013-11-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. |
|
32 |
CVE-2013-1831 |
200 |
|
+Info |
2013-03-25 |
2013-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. |
|
33 |
CVE-2013-1830 |
264 |
|
+Info |
2013-03-25 |
2016-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. |
|
34 |
CVE-2012-6112 |
264 |
|
|
2013-01-27 |
2013-01-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. |
|
35 |
CVE-2012-6106 |
264 |
|
|
2013-01-27 |
2013-01-30 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object. |
|
36 |
CVE-2012-6105 |
200 |
|
+Info |
2013-01-27 |
2013-01-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. |
|
37 |
CVE-2012-6104 |
200 |
|
+Info |
2013-01-27 |
2013-01-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed. |
|
38 |
CVE-2012-6101 |
20 |
|
|
2013-01-27 |
2013-01-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php. |
|
39 |
CVE-2012-6087 |
20 |
|
|
2013-09-16 |
2014-01-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. |
|
40 |
CVE-2012-4408 |
264 |
|
Bypass |
2012-09-19 |
2012-09-19 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation. |
|
41 |
CVE-2012-4407 |
200 |
|
+Info |
2012-09-19 |
2012-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. |
|
42 |
CVE-2012-4403 |
200 |
|
+Info |
2012-09-19 |
2012-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response. |
|
43 |
CVE-2012-3394 |
200 |
|
+Info |
2012-07-23 |
2017-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
44 |
CVE-2012-3392 |
16 |
|
Bypass |
2012-07-23 |
2017-11-30 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not consider whether a forum is optional, which allows remote authenticated users to bypass forum-subscription requirements by leveraging the student role and unsubscribing from all forums. |
|
45 |
CVE-2012-2366 |
|
|
|
2012-07-20 |
2012-07-23 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not properly iterate through an array, which allows remote authenticated users to overwrite arbitrary database activity presets via unspecified vectors. |
|
46 |
CVE-2012-2358 |
264 |
|
Bypass |
2012-07-20 |
2012-07-23 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist. |
|
47 |
CVE-2012-2357 |
200 |
|
+Info |
2012-07-20 |
2012-07-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credentials by sniffing the network. |
|
48 |
CVE-2012-0798 |
264 |
|
|
2012-07-17 |
2012-07-17 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The self-enrolment functionality in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 allows remote authenticated users to obtain the manager role by leveraging the teacher role. |
|
49 |
CVE-2012-0797 |
16 |
|
Bypass |
2012-07-17 |
2012-09-14 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token. |
|
50 |
CVE-2012-0794 |
255 |
|
|
2012-07-17 |
2017-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution. |
