cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
Max CVSS
7.5
EPSS Score
0.06%
Published
2023-06-22
Updated
2023-06-30
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
Max CVSS
6.3
EPSS Score
0.05%
Published
2023-06-22
Updated
2023-06-30
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.
Max CVSS
3.3
EPSS Score
0.05%
Published
2023-11-09
Updated
2023-11-17
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
Max CVSS
9.8
EPSS Score
0.32%
Published
2023-11-09
Updated
2023-11-17
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-11-09
Updated
2023-11-16
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-11-09
Updated
2023-11-16
H5P metadata automatically populated the author with the user's username, which could be sensitive information.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-11-09
Updated
2023-11-16
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
Max CVSS
9.1
EPSS Score
0.20%
Published
2022-11-25
Updated
2023-02-01
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
Max CVSS
4.3
EPSS Score
0.05%
Published
2022-04-29
Updated
2023-07-21
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-01-25
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
Max CVSS
4.3
EPSS Score
0.05%
Published
2022-01-25
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
Max CVSS
5.5
EPSS Score
0.05%
Published
2022-01-25
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
Max CVSS
5.3
EPSS Score
0.08%
Published
2021-11-22
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2021-11-22
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-11-22
Updated
2022-12-21
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
Max CVSS
4.9
EPSS Score
0.07%
Published
2022-09-29
Updated
2022-10-03
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.
Max CVSS
6.5
EPSS Score
0.05%
Published
2022-09-29
Updated
2022-10-03
A session hijack risk was identified in the Shibboleth authentication plugin.
Max CVSS
4.3
EPSS Score
0.07%
Published
2022-09-29
Updated
2022-10-03
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-03-06
Updated
2023-03-13
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-03-06
Updated
2023-03-13
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
Max CVSS
4.8
EPSS Score
0.04%
Published
2023-03-06
Updated
2023-03-13
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-03-06
Updated
2023-03-13
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
Max CVSS
5.3
EPSS Score
0.06%
Published
2023-03-06
Updated
2023-03-13
195 vulnerabilities found
1 2 3 4 5 6 7 8
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!