CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   

Moodle » Moodle » 4.0.0 * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:moodle:moodle:4.0.0:-:*:*:*:*:*:*
CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2023-28336 668 2023-03-23 2023-04-07
0.0
 None ??? ??? ??? ??? ??? ???
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.
2 CVE-2023-28334 639 2023-03-23 2023-03-28
0.0
 None ??? ??? ??? ??? ??? ???
Authenticated users were able to enumerate other users' names via the learning plans page.
3 CVE-2023-28333 94 2023-03-23 2023-03-31
0.0
 None ??? ??? ??? ??? ??? ???
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
4 CVE-2023-28332 79 XSS 2023-03-23 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.
5 CVE-2023-28331 79 XSS 2023-03-23 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
6 CVE-2023-28330 2023-03-23 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
7 CVE-2023-28329 89 Sql 2023-03-23 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
8 CVE-2023-1402 668 2023-03-23 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.
9 CVE-2022-40208 Bypass 2023-03-24 2023-03-30
0.0
 None ??? ??? ??? ??? ??? ???
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
10 CVE-2022-35653 79 Exec Code XSS 2022-07-25 2022-07-28
0.0
 None ??? ??? ??? ??? ??? ???
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.
11 CVE-2022-35651 79 Exec Code XSS 2022-07-25 2022-07-29
0.0
 None ??? ??? ??? ??? ??? ???
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
12 CVE-2022-30600 682 Bypass 2022-05-18 2022-06-13
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
13 CVE-2022-30599 89 Sql 2022-05-18 2022-06-13
7.5
 None Remote Low Not required Partial Partial Partial
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
14 CVE-2022-30598 2022-05-18 2022-06-13
4.0
 None Remote Low ??? Partial None None
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
15 CVE-2022-30597 2022-05-18 2022-06-13
5.0
 None Remote Low Not required Partial None None
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
16 CVE-2022-30596 79 XSS 2022-05-18 2022-06-13
3.5
 None Remote Medium ??? None Partial None
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
Total number of vulnerabilities : 16   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.