Moodle
By the Year
In 2023 there have been 18 vulnerabilities in Moodle with an average score of 6.8 out of ten. Last year Moodle had 46 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Moodle in 2023 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.43.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 18 | 6.83 |
2022 | 46 | 6.40 |
2021 | 21 | 5.94 |
2020 | 20 | 6.58 |
2019 | 17 | 5.98 |
2018 | 17 | 6.58 |
It may take a day or so for new Moodle vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Moodle Security Vulnerabilities
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
CVE-2023-28331
6.1 - Medium
- March 23, 2023
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
XSS
Insufficient sanitizing in backup resulted in an arbitrary file read risk
CVE-2023-28330
6.5 - Medium
- March 23, 2023
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
CVE-2023-28329
8.8 - High
- March 23, 2023
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
SQL Injection
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML
CVE-2021-36403
5.3 - Medium
- March 06, 2023
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
In Moodle
CVE-2021-36402
5.3 - Medium
- March 06, 2023
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
In Moodle
CVE-2021-36401
4.8 - Medium
- March 06, 2023
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
XSS
In Moodle
CVE-2021-36400
5.3 - Medium
- March 06, 2023
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
Insecure Direct Object Reference / IDOR
In Moodle
CVE-2021-36399
5.4 - Medium
- March 06, 2023
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
XSS
In moodle
CVE-2021-36398
5.4 - Medium
- March 06, 2023
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
XSS
In Moodle
CVE-2021-36397
5.3 - Medium
- March 06, 2023
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/
CVE-2021-36396
7.5 - High
- March 06, 2023
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
XSPA
In Moodle
CVE-2021-36395
7.5 - High
- March 06, 2023
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
Stack Exhaustion
In Moodle
CVE-2021-36394
9.8 - Critical
- March 06, 2023
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
In Moodle
CVE-2021-36393
9.8 - Critical
- March 06, 2023
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
SQL Injection
In Moodle
CVE-2021-36392
9.8 - Critical
- March 06, 2023
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
SQL Injection
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference
CVE-2023-23923
8.2 - High
- February 17, 2023
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search
CVE-2023-23922
6.1 - Medium
- February 17, 2023
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.
XSS
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters
CVE-2023-23921
6.1 - Medium
- February 17, 2023
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.
XSS
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle
CVE-2022-45152
9.1 - Critical
- November 25, 2022
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
XSPA
The stored-XSS vulnerability was discovered in Moodle
CVE-2022-45151
5.4 - Medium
- November 23, 2022
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
XSS
A reflected cross-site scripting vulnerability was discovered in Moodle
CVE-2022-45150
6.1 - Medium
- November 23, 2022
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user's browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.
XSS
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL
CVE-2022-45149
5.4 - Medium
- November 23, 2022
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.
Session Riding
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
CVE-2022-2986
8.8 - High
- October 06, 2022
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
Session Riding
The H5P activity attempts report did not filter by groups
CVE-2022-40316
4.3 - Medium
- September 30, 2022
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
Exposure of Resource to Wrong Sphere
A limited SQL injection risk was identified in the "browse list of users" site administration page.
CVE-2022-40315
9.8 - Critical
- September 30, 2022
A limited SQL injection risk was identified in the "browse list of users" site administration page.
SQL Injection
A remote code execution risk when restoring backup files originating
CVE-2022-40314
9.8 - Critical
- September 30, 2022
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
Recursive rendering of Mustache template helpers containing user input could
CVE-2022-40313
7.1 - High
- September 30, 2022
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
XSS
A session hijack risk was identified in the Shibboleth authentication plugin.
CVE-2021-40691
4.3 - Medium
- September 29, 2022
A session hijack risk was identified in the Shibboleth authentication plugin.
It was possible for a student to view their quiz grade before it had been released
CVE-2021-40695
4.3 - Medium
- September 29, 2022
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
CVE-2021-40694
4.9 - Medium
- September 29, 2022
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
Output Sanitization
An authentication bypass risk was identified in the external database authentication functionality
CVE-2021-40693
6.5 - Medium
- September 29, 2022
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.
authentification
Insufficient capability checks made it possible for teachers to download users outside of their courses.
CVE-2021-40692
4.3 - Medium
- September 29, 2022
Insufficient capability checks made it possible for teachers to download users outside of their courses.
AuthZ
In certain Moodle products after creating a course
CVE-2021-36568
5.4 - Medium
- September 13, 2022
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
XSS
In Moodle before 3.8.2
CVE-2020-1756
7.2 - High
- August 16, 2022
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
Improper Input Validation
In Moodle before 3.8.2
CVE-2020-1755
5.3 - Medium
- August 16, 2022
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
Insufficient Verification of Data Authenticity
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it
CVE-2020-14322
7.5 - High
- August 16, 2022
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
Allocation of Resources Without Limits or Throttling
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within
CVE-2020-14321
8.8 - High
- August 16, 2022
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
AuthZ
In Moodle before 3.9.1
CVE-2020-14320
6.1 - Medium
- August 16, 2022
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
XSS
In Moodle before 3.8.2
CVE-2020-1754
4.3 - Medium
- August 05, 2022
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
Incorrect Permission Assignment for Critical Resource
In Moodle 3.8
CVE-2020-1691
5.4 - Medium
- August 05, 2022
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.
XSS
A reflected XSS issue was identified in the LTI module of Moodle
CVE-2022-35653
6.1 - Medium
- July 25, 2022
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.
XSS
A stored XSS and blind SSRF vulnerability was found in Moodle
CVE-2022-35651
6.1 - Medium
- July 25, 2022
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
XSS
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature
CVE-2022-35652
6.1 - Medium
- July 25, 2022
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Open Redirect
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions
CVE-2022-35650
7.5 - High
- July 25, 2022
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
Improper Input Validation
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code
CVE-2022-35649
9.8 - Critical
- July 25, 2022
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Improper Input Validation
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
CVE-2022-30599
9.8 - Critical
- May 18, 2022
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
SQL Injection
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
CVE-2022-30598
4.3 - Medium
- May 18, 2022
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
CVE-2022-30597
5.3 - Medium
- May 18, 2022
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
CVE-2022-30600
9.8 - Critical
- May 18, 2022
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
Incorrect Calculation
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
CVE-2022-30596
5.4 - Medium
- May 18, 2022
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
XSS
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria
CVE-2022-0984
4.3 - Medium
- April 29, 2022
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
AuthZ
Insufficient capability checks could
CVE-2022-0985
4.3 - Medium
- April 29, 2022
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
authentification
An SQL injection risk was identified in Badges code relating to configuring criteria
CVE-2022-0983
8.8 - High
- March 25, 2022
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
SQL Injection
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits
CVE-2021-32476
7.5 - High
- March 11, 2022
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
Allocation of Resources Without Limits or Throttling
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host
CVE-2021-32474
7.2 - High
- March 11, 2022
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
SQL Injection
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks
CVE-2021-32478
6.1 - Medium
- March 11, 2022
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.
XSS
The last time a user accessed the mobile app is displayed on their profile page
CVE-2021-32477
4.3 - Medium
- March 11, 2022
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.
AuthZ
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk
CVE-2021-32475
5.4 - Medium
- March 11, 2022
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
XSS
It was possible for a student to view their quiz grade before it had been released, using a quiz web service
CVE-2021-32473
5.3 - Medium
- March 11, 2022
It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances
CVE-2021-32472
4.3 - Medium
- March 11, 2022
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected.
AuthZ
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
CVE-2022-0333
3.8 - Low
- January 25, 2022
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
AuthZ
A flaw was found in Moodle in versions 3.11 to 3.11.4
CVE-2022-0332
9.8 - Critical
- January 25, 2022
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
SQL Injection
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
CVE-2022-0335
8.8 - High
- January 25, 2022
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Session Riding
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
CVE-2022-0334
4.3 - Medium
- January 25, 2022
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
Exposure of Resource to Wrong Sphere
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
CVE-2021-3943
9.8 - Critical
- November 22, 2021
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
Improper Input Validation
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
CVE-2021-43560
5.3 - Medium
- November 22, 2021
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
Exposure of Resource to Wrong Sphere
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
CVE-2021-43559
8.8 - High
- November 22, 2021
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
Session Riding
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
CVE-2021-43558
6.1 - Medium
- November 22, 2021
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
XSS
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10
CVE-2021-21809
9.1 - Critical
- June 23, 2021
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
Cross Site Scripting (XSS) in Moodle 3.10.3
CVE-2021-32244
5.4 - Medium
- June 16, 2021
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
XSS
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates
CVE-2019-14827
6.1 - Medium
- May 17, 2021
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
Code Injection
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned
CVE-2019-14828
4.3 - Medium
- March 19, 2021
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
AuthZ
A vulnerability was found in Moodle affection 3.7 to 3.7.1
CVE-2019-14829
4.3 - Medium
- March 19, 2021
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
Improper Following of Specification by Caller
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances
CVE-2019-14830
6.1 - Medium
- March 19, 2021
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
Open Redirect
A vulnerability was found in Moodle 3.7 to 3.7.1
CVE-2019-14831
6.1 - Medium
- March 19, 2021
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.
Open Redirect
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2
CVE-2021-20279
5.4 - Medium
- March 15, 2021
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
XSS
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2
CVE-2021-20280
5.4 - Medium
- March 15, 2021
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
XSS
It was possible for some users without permission to view other users' full names to do so
CVE-2021-20281
5.3 - Medium
- March 15, 2021
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
AuthZ
When creating a user account
CVE-2021-20282
5.3 - Medium
- March 15, 2021
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
AuthZ
The web service responsible for fetching other users' enrolled courses did not validate
CVE-2021-20283
4.3 - Medium
- March 15, 2021
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
AuthZ
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16
CVE-2021-20185
5.3 - Medium
- January 28, 2021
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
Allocation of Resources Without Limits or Throttling
It was found in Moodle before version 3.10.1
CVE-2021-20183
5.4 - Medium
- January 28, 2021
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
XSS
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7
CVE-2021-20184
4.3 - Medium
- January 28, 2021
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
Improper Validation of Integrity Check Value
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16
CVE-2021-20186
5.4 - Medium
- January 28, 2021
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.
XSS
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16
CVE-2021-20187
7.2 - High
- January 28, 2021
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
Inclusion of Functionality from Untrusted Control Sphere
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk
CVE-2020-25627
6.1 - Medium
- December 09, 2020
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
XSS
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk
CVE-2020-25628
6.1 - Medium
- December 08, 2020
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
XSS
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically
CVE-2020-25629
8.8 - High
- December 08, 2020
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
AuthZ
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them
CVE-2020-25630
7.5 - High
- December 08, 2020
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
Resource Exhaustion
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title
CVE-2020-25631
6.1 - Medium
- December 08, 2020
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.
XSS
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course
CVE-2020-25698
7.5 - High
- November 19, 2020
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within
CVE-2020-25699
7.5 - High
- November 19, 2020
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
AuthZ
In moodle, some database module web services allowed students to add entries within groups they did not belong to
CVE-2020-25700
6.5 - Medium
- November 19, 2020
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.
SQL Injection
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable
CVE-2020-25701
5.3 - Medium
- November 19, 2020
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
AuthZ
In Moodle, it was possible to include JavaScript when re-naming content bank items
CVE-2020-25702
6.1 - Medium
- November 19, 2020
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.
XSS
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden
CVE-2020-25703
5.3 - Medium
- November 19, 2020
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
Information Disclosure
A flaw was found in Moodle versions 3.8 before 3.8.3
CVE-2020-10738
8.8 - High
- May 21, 2020
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
Improper Input Validation
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier
CVE-2019-14880
9.1 - Critical
- March 31, 2020
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
A vulnerability was found in moodle 3.7 before 3.7.3
CVE-2019-14881
6.1 - Medium
- March 18, 2020
A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.
XSS
A vulnerability was found in Moodle 3.7 to 3.7.3
CVE-2019-14882
6.1 - Medium
- March 18, 2020
A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.
Open Redirect