2.7.12 : Security Vulnerabilities

Cpe Name:cpe:/a:moodle:moodle:2.7.12

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : CVE Number Descending CVE Number Ascending CVSS Score Descending Number Of Exploits Descending

#	CVE ID	CWE ID	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2017-7491	352	CSRF	2017-05-15	2017-05-23	4.3	None	Remote	Medium	Not required	None	Partial	None
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
2	CVE-2017-7490	264		2017-05-15	2017-05-23	5.0	None	Remote	Low	Not required	Partial	None	None
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
3	CVE-2017-7489	264		2017-05-15	2017-05-23	6.5	None	Remote	Low	Single system	Partial	Partial	Partial
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
4	CVE-2017-2641	89	Sql	2017-03-26	2017-08-15	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
5	CVE-2016-3734	352	CSRF	2017-04-20	2017-04-27	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.
6	CVE-2016-3733	284		2017-04-20	2017-04-28	4.0	None	Remote	Low	Single system	None	Partial	None
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.
7	CVE-2016-3732	200	+Info	2017-04-20	2017-04-27	4.0	None	Remote	Low	Single system	Partial	None	None
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.
8	CVE-2016-3729	284		2017-04-20	2017-04-27	4.0	None	Remote	Low	Single system	None	Partial	None
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
9	CVE-2016-2190	264	+Info	2016-05-22	2017-09-06	5.0	None	Remote	Low	Not required	Partial	None	None
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
10	CVE-2016-2159	284	Bypass	2016-05-22	2017-09-06	4.0	None	Remote	Low	Single system	None	Partial	None
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.
11	CVE-2016-2158	200	+Info	2016-05-22	2017-09-06	4.0	None	Remote	Low	Single system	Partial	None	None
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
12	CVE-2016-2157	352	CSRF	2016-05-22	2017-09-06	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins.
13	CVE-2016-2156	200	+Info	2016-05-22	2017-09-06	4.0	None	Remote	Low	Single system	Partial	None	None
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
14	CVE-2016-2153	79	XSS	2016-05-22	2017-09-06	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL, as demonstrated by a search form field.
15	CVE-2016-2152	79	XSS	2016-05-22	2017-09-06	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.
16	CVE-2016-2151	200	+Info	2016-05-22	2017-09-06	4.0	None	Remote	Low	Single system	Partial	None	None
user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.

Total number of vulnerabilities : 16 Page : 1 (This Page)