CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Moodle » Moodle » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-35653 79 Exec Code XSS 2022-07-25 2022-07-28
0.0
None ??? ??? ??? ??? ??? ???
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.
2 CVE-2022-35652 601 2022-07-25 2022-08-01
0.0
None ??? ??? ??? ??? ??? ???
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
3 CVE-2022-35651 79 Exec Code XSS 2022-07-25 2022-07-29
0.0
None ??? ??? ??? ??? ??? ???
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
4 CVE-2022-35650 20 Dir. Trav. 2022-07-25 2022-08-01
0.0
None ??? ??? ??? ??? ??? ???
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
5 CVE-2022-35649 20 Exec Code 2022-07-25 2022-08-01
0.0
None ??? ??? ??? ??? ??? ???
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6 CVE-2022-30600 682 Bypass 2022-05-18 2022-06-13
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
7 CVE-2022-30599 89 Sql 2022-05-18 2022-06-13
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
8 CVE-2022-30598 2022-05-18 2022-06-13
4.0
None Remote Low ??? Partial None None
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
9 CVE-2022-30597 2022-05-18 2022-06-13
5.0
None Remote Low Not required Partial None None
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
10 CVE-2022-30596 79 XSS 2022-05-18 2022-06-13
3.5
None Remote Medium ??? None Partial None
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
11 CVE-2022-0985 287 2022-04-29 2022-05-11
4.0
None Remote Low ??? None Partial None
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
12 CVE-2022-0984 863 2022-04-29 2022-05-10
4.0
None Remote Low ??? None Partial None
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
13 CVE-2022-0983 89 Sql 2022-03-25 2022-03-30
6.5
None Remote Low ??? Partial Partial Partial
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
14 CVE-2022-0335 352 CSRF 2022-01-25 2022-02-01
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
15 CVE-2022-0334 668 2022-01-25 2022-02-01
4.0
None Remote Low ??? Partial None None
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
16 CVE-2022-0333 863 2022-01-25 2022-02-01
5.5
None Remote Low ??? Partial Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
17 CVE-2022-0332 89 Sql 2022-01-25 2022-02-01
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
18 CVE-2021-43560 668 2021-11-22 2022-06-14
5.0
None Remote Low Not required Partial None None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
19 CVE-2021-43559 352 CSRF 2021-11-22 2022-06-14
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
20 CVE-2021-43558 79 XSS 2021-11-22 2022-06-14
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
21 CVE-2021-32478 79 XSS 2022-03-11 2022-07-02
4.3
None Remote Medium Not required None Partial None
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
22 CVE-2021-32477 862 2022-03-11 2022-07-02
4.0
None Remote Low ??? Partial None None
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.
23 CVE-2021-32476 770 2022-03-11 2022-08-04
5.0
None Remote Low Not required None None Partial
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
24 CVE-2021-32475 79 XSS 2022-03-11 2022-03-18
3.5
None Remote Medium ??? None Partial None
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
25 CVE-2021-32474 89 Sql 2022-03-11 2022-03-18
6.5
None Remote Low ??? Partial Partial Partial
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
26 CVE-2021-32473 2022-03-11 2022-03-18
5.0
None Remote Low Not required Partial None None
It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected
27 CVE-2021-32472 862 2022-03-11 2022-08-04
2.6
None Remote High Not required Partial None None
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected.
28 CVE-2021-20283 862 2021-03-15 2022-08-05
4.0
None Remote Low ??? Partial None None
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
29 CVE-2021-20282 863 2021-03-15 2021-03-23
5.0
None Remote Low Not required None Partial None
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
30 CVE-2021-20281 863 2021-03-15 2022-08-05
5.0
None Remote Low Not required Partial None None
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
31 CVE-2021-20280 79 XSS 2021-03-15 2021-11-30
3.5
None Remote Medium ??? None Partial None
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
32 CVE-2021-20279 79 XSS 2021-03-15 2021-03-23
3.5
None Remote Medium ??? None Partial None
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
33 CVE-2021-20187 94 2021-01-28 2021-02-01
6.5
None Remote Low ??? Partial Partial Partial
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
34 CVE-2021-20186 79 XSS 2021-01-28 2021-02-01
2.1
None Remote High ??? Partial None None
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.
35 CVE-2021-20185 400 DoS 2021-01-28 2021-02-04
5.0
None Remote Low Not required None None Partial
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
36 CVE-2021-20184 354 2021-01-28 2021-02-01
4.0
None Remote Low ??? Partial None None
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
37 CVE-2021-20183 79 XSS 2021-01-28 2021-02-01
4.3
None Remote Medium Not required None Partial None
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
38 CVE-2021-3943 20 Exec Code 2021-11-22 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
39 CVE-2020-25703 200 +Info 2020-11-19 2021-10-19
5.0
None Remote Low Not required Partial None None
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
40 CVE-2020-25702 79 XSS 2020-11-19 2020-12-03
4.3
None Remote Medium Not required None Partial None
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.
41 CVE-2020-25701 863 2020-11-19 2020-12-01
5.0
None Remote Low Not required None Partial None
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
42 CVE-2020-25700 89 Sql 2020-11-19 2020-12-03
4.0
None Remote Low ??? None Partial None
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.
43 CVE-2020-25699 863 2020-11-19 2021-10-19
5.0
None Remote Low Not required None Partial None
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
44 CVE-2020-25698 2020-11-19 2020-12-02
5.0
None Remote Low Not required None Partial None
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
45 CVE-2020-25631 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.
46 CVE-2020-25630 400 DoS 2020-12-08 2020-12-08
5.0
None Remote Low Not required None None Partial
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
47 CVE-2020-25629 284 2020-12-08 2020-12-08
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
48 CVE-2020-25628 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
49 CVE-2020-25627 79 XSS 2020-12-09 2020-12-10
4.3
None Remote Medium Not required None Partial None
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
50 CVE-2020-14322 770 DoS 2022-08-16 2022-08-17
0.0
None ??? ??? ??? ??? ??? ???
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
Total number of vulnerabilities : 244   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.