| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-35653 |
79 |
|
Exec Code XSS |
2022-07-25 |
2022-07-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users. |
|
2 |
CVE-2022-35652 |
601 |
|
|
2022-07-25 |
2022-08-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information. |
|
3 |
CVE-2022-35651 |
79 |
|
Exec Code XSS |
2022-07-25 |
2022-07-29 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. |
|
4 |
CVE-2022-35650 |
20 |
|
Dir. Trav. |
2022-07-25 |
2022-08-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default. |
|
5 |
CVE-2022-35649 |
20 |
|
Exec Code |
2022-07-25 |
2022-08-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. |
|
6 |
CVE-2022-30600 |
682 |
|
Bypass |
2022-05-18 |
2022-06-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed. |
|
7 |
CVE-2022-30599 |
89 |
|
Sql |
2022-05-18 |
2022-06-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria. |
|
8 |
CVE-2022-30598 |
|
|
|
2022-05-18 |
2022-06-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it. |
|
9 |
CVE-2022-30597 |
|
|
|
2022-05-18 |
2022-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. |
|
10 |
CVE-2022-30596 |
79 |
|
XSS |
2022-05-18 |
2022-06-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. |
|
11 |
CVE-2022-0985 |
287 |
|
|
2022-04-29 |
2022-05-11 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. |
|
12 |
CVE-2022-0984 |
863 |
|
|
2022-04-29 |
2022-05-10 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. |
|
13 |
CVE-2022-0983 |
89 |
|
Sql |
2022-03-25 |
2022-03-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. |
|
14 |
CVE-2022-0335 |
352 |
|
CSRF |
2022-01-25 |
2022-02-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. |
|
15 |
CVE-2022-0334 |
668 |
|
|
2022-01-25 |
2022-02-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability. |
|
16 |
CVE-2022-0333 |
863 |
|
|
2022-01-25 |
2022-02-01 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events. |
|
17 |
CVE-2022-0332 |
89 |
|
Sql |
2022-01-25 |
2022-02-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data. |
|
18 |
CVE-2021-43560 |
668 |
|
|
2021-11-22 |
2022-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events. |
|
19 |
CVE-2021-43559 |
352 |
|
CSRF |
2021-11-22 |
2022-06-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. |
|
20 |
CVE-2021-43558 |
79 |
|
XSS |
2021-11-22 |
2022-06-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. |
|
21 |
CVE-2021-32478 |
79 |
|
XSS |
2022-03-11 |
2022-07-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. |
|
22 |
CVE-2021-32477 |
862 |
|
|
2022-03-11 |
2022-07-02 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected. |
|
23 |
CVE-2021-32476 |
770 |
|
|
2022-03-11 |
2022-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
|
24 |
CVE-2021-32475 |
79 |
|
XSS |
2022-03-11 |
2022-03-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
|
25 |
CVE-2021-32474 |
89 |
|
Sql |
2022-03-11 |
2022-03-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
|
26 |
CVE-2021-32473 |
|
|
|
2022-03-11 |
2022-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected |
|
27 |
CVE-2021-32472 |
862 |
|
|
2022-03-11 |
2022-08-04 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. |
|
28 |
CVE-2021-20283 |
862 |
|
|
2021-03-15 |
2022-08-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. |
|
29 |
CVE-2021-20282 |
863 |
|
|
2021-03-15 |
2021-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. |
|
30 |
CVE-2021-20281 |
863 |
|
|
2021-03-15 |
2022-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. |
|
31 |
CVE-2021-20280 |
79 |
|
XSS |
2021-03-15 |
2021-11-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. |
|
32 |
CVE-2021-20279 |
79 |
|
XSS |
2021-03-15 |
2021-03-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. |
|
33 |
CVE-2021-20187 |
94 |
|
|
2021-01-28 |
2021-02-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
|
34 |
CVE-2021-20186 |
79 |
|
XSS |
2021-01-28 |
2021-02-01 |
2.1 |
None |
Remote |
High |
??? |
Partial |
None |
None |
|
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
|
35 |
CVE-2021-20185 |
400 |
|
DoS |
2021-01-28 |
2021-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. |
|
36 |
CVE-2021-20184 |
354 |
|
|
2021-01-28 |
2021-02-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
|
37 |
CVE-2021-20183 |
79 |
|
XSS |
2021-01-28 |
2021-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
|
38 |
CVE-2021-3943 |
20 |
|
Exec Code |
2021-11-22 |
2021-11-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified. |
|
39 |
CVE-2020-25703 |
200 |
|
+Info |
2020-11-19 |
2021-10-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10. |
|
40 |
CVE-2020-25702 |
79 |
|
XSS |
2020-11-19 |
2020-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10. |
|
41 |
CVE-2020-25701 |
863 |
|
|
2020-11-19 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. |
|
42 |
CVE-2020-25700 |
89 |
|
Sql |
2020-11-19 |
2020-12-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. |
|
43 |
CVE-2020-25699 |
863 |
|
|
2020-11-19 |
2021-10-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. |
|
44 |
CVE-2020-25698 |
|
|
|
2020-11-19 |
2020-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. |
|
45 |
CVE-2020-25631 |
79 |
|
XSS |
2020-12-08 |
2020-12-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8. |
|
46 |
CVE-2020-25630 |
400 |
|
DoS |
2020-12-08 |
2020-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. |
|
47 |
CVE-2020-25629 |
284 |
|
|
2020-12-08 |
2020-12-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. |
|
48 |
CVE-2020-25628 |
79 |
|
XSS |
2020-12-08 |
2020-12-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. |
|
49 |
CVE-2020-25627 |
79 |
|
XSS |
2020-12-09 |
2020-12-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2. |
|
50 |
CVE-2020-14322 |
770 |
|
DoS |
2022-08-16 |
2022-08-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. |
