CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Moodle : Security Vulnerabilities (CVSS score between 7 and 7.99)

CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-30600 682 Bypass 2022-05-18 2022-06-13
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
2 CVE-2022-30599 89 Sql 2022-05-18 2022-06-13
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
3 CVE-2022-0332 89 Sql 2022-01-25 2022-02-01
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
4 CVE-2021-3943 20 Exec Code 2021-11-22 2021-11-23
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
5 CVE-2019-3809 918 2019-03-25 2019-10-09
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
6 CVE-2018-10891 2018-07-10 2020-10-23
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
7 CVE-2017-2641 89 Sql 2017-03-26 2017-08-16
7.5
 None Remote Low Not required Partial Partial Partial
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
8 CVE-2015-5332 399 DoS 2016-02-22 2020-12-01
7.1
 None Remote Medium Not required None None Complete
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
9 CVE-2014-7845 255 2014-11-24 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.
10 CVE-2014-3541 94 Exec Code 2014-07-29 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.
11 CVE-2013-5674 94 2013-09-16 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.
12 CVE-2013-4313 89 Sql 2013-09-16 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.
13 CVE-2012-0801 20 2012-07-17 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
lib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 does not properly handle multiple instances of a form element, which has unspecified impact and remote attack vectors.
14 CVE-2010-1615 89 Exec Code Sql 2010-04-29 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php.
15 CVE-2009-4304 255 2009-12-16 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random password salt in config.php, which makes it easier for attackers to conduct brute-force password guessing attacks.
16 CVE-2008-6124 89 Exec Code Sql 2009-02-13 2018-11-08
7.5
 None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt.
17 CVE-2007-1647 +Info 2007-03-24 2017-10-11
7.8
 None Remote Low Not required Complete None None
Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.
18 CVE-2007-1429 Exec Code File Inclusion 2007-03-13 2018-10-16
7.5
 None Remote Low Not required Partial Partial Partial
Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php.
19 CVE-2006-4785 89 Exec Code Sql 2006-09-14 2018-10-17
7.5
 None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls _adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php), which does not convert the data type to an int.
20 CVE-2006-0147 Exec Code 2006-01-09 2018-10-19
7.5
 None Remote Low Not required Partial Partial Partial
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
21 CVE-2006-0146 89 Exec Code Sql 2006-01-09 2018-10-19
7.5
 None Remote Low Not required Partial Partial Partial
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
22 CVE-2005-3648 Exec Code Sql 2005-11-17 2017-07-11
7.5
 None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php.
23 CVE-2004-2234 2004-12-31 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
Unknown vulnerability in Moodle before 1.2 allows teachers to log in as administrators.
24 CVE-2004-2232 Sql 2004-12-31 2020-12-01
7.5
 None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements.
Total number of vulnerabilities : 24   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.