Moodle

Moodle Messaging Component Information Disclosure Vulnerability

CVE-2024-48896 4.3 - Medium - November 18, 2024

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

Generation of Error Message Containing Sensitive Information

Moodle RSS Feed Access Control Vulnerability

CVE-2024-48897 4.3 - Medium - November 18, 2024

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

AuthZ

Moodle: Privilege Escalation in Audience Deletion

CVE-2024-48898 4.3 - Medium - November 18, 2024

A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.

AuthZ

Moodle Report Schedule Access Control Vulnerability

CVE-2024-48901 4.3 - Medium - November 18, 2024

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

AuthZ

Moodle H5P Reflected Cross-Site Scripting (XSS) Vulnerability

CVE-2024-43439 6.1 - Medium - November 11, 2024

A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.

Moodle Site Administration Presets Export Information Disclosure Vulnerability

CVE-2024-43427 - November 11, 2024

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.

Moodle Gradebook Information Disclosure Vulnerability in User Profile Fields

CVE-2024-43429 - November 11, 2024

A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.

Moodle Quiz External API Insufficient Access Control Vulnerability

CVE-2024-43430 - November 11, 2024

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.

Moodle cURL Wrapper HTTP Authorization Header Leak Vulnerability

CVE-2024-43432 - November 11, 2024

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Moodle Matrix Integration: Improper Access Control for Suspended Users

CVE-2024-43433 - November 11, 2024

A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.

Moodle Glossary Restore Capability Bypass Vulnerability

CVE-2024-43435 - November 11, 2024

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

Moodle Backup XSS Vulnerability

CVE-2024-43437 6.1 - Medium - November 11, 2024

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

SQL Injection in Moodle XMLDB Editor

CVE-2024-43436 - November 07, 2024

A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

Moodle RCE via Calculated Question Types

CVE-2024-43425 - November 07, 2024

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

Moodle 4.3 Cache Poisoning via Local Storage

CVE-2024-43428 - November 07, 2024

To address a cache poisoning risk in Moodle, additional validation for local storage was required.

Moodle Badge Deletion Privilege Escalation

CVE-2024-43431 - November 07, 2024

A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.

Moodle Feedback Module CSRF Token Bypass

CVE-2024-43434 - November 07, 2024

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

Moodle Local File Inclusion in Block Backup

CVE-2024-43440 - November 07, 2024

A flaw was found in moodle. A local file may include risks when restoring block backups.

Incorrect CSRF token checks resulted in multiple CSRF risks.

CVE-2024-38276 8.8 - High - June 18, 2024

Incorrect CSRF token checks resulted in multiple CSRF risks.

Session Riding

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

CVE-2024-34008 8.8 - High - May 31, 2024

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Session Riding

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g

CVE-2024-25983 5.3 - Medium - February 19, 2024

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

Insecure Direct Object Reference / IDOR

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

CVE-2024-25978 7.5 - High - February 19, 2024

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

Allocation of Resources Without Limits or Throttling

The URL parameters accepted by forum search were not limited to the

CVE-2024-25979 5.3 - Medium - February 19, 2024

The URL parameters accepted by forum search were not limited to the allowed parameters.

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups

CVE-2024-25980 5.3 - Medium - February 19, 2024

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups

CVE-2024-25981 5.3 - Medium - February 19, 2024

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

CVE-2024-25982 8.8 - High - February 19, 2024

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

Session Riding

Inadequate access control in Moodle LMS

CVE-2024-1439 3.3 - Low - February 12, 2024

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

Authorization

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity

CVE-2023-5543 3.3 - Low - November 09, 2023

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users

CVE-2023-5551 3.3 - Low - November 09, 2023

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

In a shared hosting environment

CVE-2023-5550 9.8 - Critical - November 09, 2023

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

A remote code execution risk was identified in the IMSCP activity

CVE-2023-5540 8.8 - High - November 09, 2023

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

Code Injection

Students in "Only see own membership" groups could see other students in the group

CVE-2023-5542 4.3 - Medium - November 09, 2023

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

Exposure of Resource to Wrong Sphere

H5P metadata automatically populated the author with the user's username

CVE-2023-5545 5.3 - Medium - November 09, 2023

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Exposure of Resource to Wrong Sphere

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

CVE-2023-5548 5.3 - Medium - November 09, 2023

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

Insufficient Verification of Data Authenticity

Insufficient web service capability checks made it possible to move categories a user had permission to manage

CVE-2023-5549 5.3 - Medium - November 09, 2023

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

Improper Privilege Management

A remote code execution risk was identified in the Lesson activity

CVE-2023-5539 8.8 - High - November 09, 2023

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

Code Injection

The CSV grade import method contained an XSS risk for users importing the spreadsheet

CVE-2023-5541 6.1 - Medium - November 09, 2023

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.

XSS

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

CVE-2023-5544 5.4 - Medium - November 09, 2023

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

XSS

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

CVE-2023-5546 5.4 - Medium - November 09, 2023

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

XSS

The course upload preview contained an XSS risk for users uploading unsafe data.

CVE-2023-5547 6.1 - Medium - November 09, 2023

The course upload preview contained an XSS risk for users uploading unsafe data.

XSS

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher

CVE-2023-46858 5.4 - Medium - October 29, 2023

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not."

XSS

Content on the groups page required additional sanitizing to prevent an XSS risk

CVE-2023-35131 6.1 - Medium - June 22, 2023

Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.

XSS

A limited SQL injection risk was identified on the Mnet SSO access control page

CVE-2023-35132 6.3 - Medium - June 22, 2023

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

SQL Injection

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk

CVE-2023-35133 7.5 - High - June 22, 2023

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

SSRF

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section"

CVE-2021-27131 5.4 - Medium - May 16, 2023

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript).

XSS

The vulnerability was found Moodle which exists because the application

CVE-2023-30943 5.3 - Medium - May 02, 2023

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Externally Controlled Reference to a Resource in Another Sphere

The vulnerability was found Moodle

CVE-2023-30944 7.3 - High - May 02, 2023

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.

SQL Injection

In Moodle

CVE-2022-40208 4.3 - Medium - March 24, 2023

In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

CVE-2023-28336 4.3 - Medium - March 23, 2023

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

Exposure of Resource to Wrong Sphere

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

CVE-2023-28333 9.8 - Critical - March 23, 2023

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

Code Injection

If the algebra filter was enabled but not functional (eg the necessary binaries were missing

CVE-2023-28332 6.1 - Medium - March 23, 2023

If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.

XSS

Authenticated users were able to enumerate other users' names

CVE-2023-28334 4.3 - Medium - March 23, 2023

Authenticated users were able to enumerate other users' names via the learning plans page.

Insecure Direct Object Reference / IDOR

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

CVE-2023-28335 8.8 - High - March 23, 2023

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

Session Riding

The course participation report required additional checks to prevent roles being displayed

CVE-2023-1402 4.3 - Medium - March 23, 2023

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.

Exposure of Resource to Wrong Sphere

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

CVE-2023-28329 8.8 - High - March 23, 2023

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

SQL Injection

Insufficient sanitizing in backup resulted in an arbitrary file read risk

CVE-2023-28330 6.5 - Medium - March 23, 2023

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.

CVE-2023-28331 6.1 - Medium - March 23, 2023

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.

XSS

In Moodle

CVE-2021-36402 5.3 - Medium - March 06, 2023

In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML

CVE-2021-36403 5.3 - Medium - March 06, 2023

In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

In Moodle

CVE-2021-36397 5.3 - Medium - March 06, 2023

In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

In moodle

CVE-2021-36398 5.4 - Medium - March 06, 2023

In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.

XSS

In Moodle

CVE-2021-36399 5.4 - Medium - March 06, 2023

In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.

XSS

In Moodle

CVE-2021-36400 5.3 - Medium - March 06, 2023

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

Insecure Direct Object Reference / IDOR

In Moodle

CVE-2021-36401 4.8 - Medium - March 06, 2023

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

XSS

In Moodle

CVE-2021-36392 9.8 - Critical - March 06, 2023

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

SQL Injection

In Moodle

CVE-2021-36393 9.8 - Critical - March 06, 2023

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

SQL Injection

In Moodle

CVE-2021-36394 9.8 - Critical - March 06, 2023

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

In Moodle

CVE-2021-36395 7.5 - High - March 06, 2023

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

Stack Exhaustion

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/

CVE-2021-36396 7.5 - High - March 06, 2023

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

SSRF

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters

CVE-2023-23921 6.1 - Medium - February 17, 2023

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

XSS

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search

CVE-2023-23922 6.1 - Medium - February 17, 2023

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

XSS

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference

CVE-2023-23923 8.2 - High - February 17, 2023

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle

CVE-2022-45152 9.1 - Critical - November 25, 2022

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

SSRF

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL

CVE-2022-45149 5.4 - Medium - November 23, 2022

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Session Riding

A reflected cross-site scripting vulnerability was discovered in Moodle

CVE-2022-45150 6.1 - Medium - November 23, 2022

A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user's browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.

XSS

The stored-XSS vulnerability was discovered in Moodle

CVE-2022-45151 5.4 - Medium - November 23, 2022

The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

XSS

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

CVE-2022-2986 8.8 - High - October 06, 2022

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

Session Riding

A remote code execution risk when restoring backup files originating

CVE-2022-40314 9.8 - Critical - September 30, 2022

A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.

Recursive rendering of Mustache template helpers containing user input could

CVE-2022-40313 7.1 - High - September 30, 2022

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.

XSS

A limited SQL injection risk was identified in the "browse list of users" site administration page.

CVE-2022-40315 9.8 - Critical - September 30, 2022

A limited SQL injection risk was identified in the "browse list of users" site administration page.

SQL Injection

The H5P activity attempts report did not filter by groups

CVE-2022-40316 4.3 - Medium - September 30, 2022

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

AuthZ

Insufficient capability checks made it possible for teachers to download users outside of their courses.

CVE-2021-40692 4.3 - Medium - September 29, 2022

Insufficient capability checks made it possible for teachers to download users outside of their courses.

AuthZ

An authentication bypass risk was identified in the external database authentication functionality

CVE-2021-40693 6.5 - Medium - September 29, 2022

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

authentification

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

CVE-2021-40694 4.9 - Medium - September 29, 2022

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

Output Sanitization

It was possible for a student to view their quiz grade before it had been released

CVE-2021-40695 4.3 - Medium - September 29, 2022

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

A session hijack risk was identified in the Shibboleth authentication plugin.

CVE-2021-40691 4.3 - Medium - September 29, 2022

A session hijack risk was identified in the Shibboleth authentication plugin.

In certain Moodle products after creating a course

CVE-2021-36568 5.4 - Medium - September 13, 2022

In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.

XSS

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it

CVE-2020-14322 7.5 - High - August 16, 2022

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.

Allocation of Resources Without Limits or Throttling

In Moodle before 3.8.2

CVE-2020-1756 7.2 - High - August 16, 2022

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

Improper Input Validation

In Moodle before 3.8.2

CVE-2020-1755 5.3 - Medium - August 16, 2022

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

Insufficient Verification of Data Authenticity

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within

CVE-2020-14321 8.8 - High - August 16, 2022

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

AuthZ

In Moodle before 3.9.1

CVE-2020-14320 6.1 - Medium - August 16, 2022

In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.

XSS

In Moodle 3.8

CVE-2020-1691 5.4 - Medium - August 05, 2022

In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.

XSS

In Moodle before 3.8.2

CVE-2020-1754 4.3 - Medium - August 05, 2022

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.

Incorrect Permission Assignment for Critical Resource

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions

CVE-2022-35650 7.5 - High - July 25, 2022

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

Improper Input Validation

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature

CVE-2022-35652 6.1 - Medium - July 25, 2022

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Open Redirect

A stored XSS and blind SSRF vulnerability was found in Moodle

CVE-2022-35651 6.1 - Medium - July 25, 2022

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

XSS

A reflected XSS issue was identified in the LTI module of Moodle

CVE-2022-35653 6.1 - Medium - July 25, 2022

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.

XSS

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code

CVE-2022-35649 9.8 - Critical - July 25, 2022

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Improper Input Validation

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

CVE-2022-30600 9.8 - Critical - May 18, 2022

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

Incorrect Calculation