Moodle

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

CVE-2022-30600 9.8 - Critical - May 18, 2022

A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.

Incorrect Calculation

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

CVE-2022-30597 5.3 - Medium - May 18, 2022

A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

CVE-2022-30598 4.3 - Medium - May 18, 2022

A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

CVE-2022-30599 9.8 - Critical - May 18, 2022

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

SQL Injection

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

CVE-2022-30596 5.4 - Medium - May 18, 2022

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.

XSS

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria

CVE-2022-0984 4.3 - Medium - April 29, 2022

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

AuthZ

Insufficient capability checks could

CVE-2022-0985 4.3 - Medium - April 29, 2022

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

authentification

An SQL injection risk was identified in Badges code relating to configuring criteria

CVE-2022-0983 8.8 - High - March 25, 2022

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

SQL Injection

It was possible for a student to view their quiz grade before it had been released, using a quiz web service

CVE-2021-32473 5.3 - Medium - March 11, 2022

It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits

CVE-2021-32476 7.5 - High - March 11, 2022

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

Resource Exhaustion

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host

CVE-2021-32474 7.2 - High - March 11, 2022

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

SQL Injection

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks

CVE-2021-32478 6.1 - Medium - March 11, 2022

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

XSS

The last time a user accessed the mobile app is displayed on their profile page

CVE-2021-32477 4.3 - Medium - March 11, 2022

The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.

Information Disclosure

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk

CVE-2021-32475 5.4 - Medium - March 11, 2022

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

XSS

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances

CVE-2021-32472 4.3 - Medium - March 11, 2022

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected.

Information Disclosure

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions

CVE-2022-0334 4.3 - Medium - January 25, 2022

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

Exposure of Resource to Wrong Sphere

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions

CVE-2022-0335 8.8 - High - January 25, 2022

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

Session Riding

A flaw was found in Moodle in versions 3.11 to 3.11.4

CVE-2022-0332 9.8 - Critical - January 25, 2022

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

SQL Injection

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions

CVE-2022-0333 3.8 - Low - January 25, 2022

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

AuthZ

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

CVE-2021-43560 5.3 - Medium - November 22, 2021

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

Exposure of Resource to Wrong Sphere

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

CVE-2021-3943 9.8 - Critical - November 22, 2021

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.

Improper Input Validation

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

CVE-2021-43559 8.8 - High - November 22, 2021

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Session Riding

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

CVE-2021-43558 6.1 - Medium - November 22, 2021

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.

XSS

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10

CVE-2021-21809 9.1 - Critical - June 23, 2021

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

Incorrect Permission Assignment for Critical Resource

Cross Site Scripting (XSS) in Moodle 3.10.3

CVE-2021-32244 5.4 - Medium - June 16, 2021

Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.

XSS

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates

CVE-2019-14827 6.1 - Medium - May 17, 2021

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.

Code Injection

A vulnerability was found in Moodle 3.7 to 3.7.1

CVE-2019-14831 6.1 - Medium - March 19, 2021

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.

Open Redirect

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances

CVE-2019-14830 6.1 - Medium - March 19, 2021

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

Open Redirect

A vulnerability was found in Moodle affection 3.7 to 3.7.1

CVE-2019-14829 4.3 - Medium - March 19, 2021

A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.

Improper Following of Specification by Caller

A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned

CVE-2019-14828 4.3 - Medium - March 19, 2021

A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.

AuthZ

The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2

CVE-2021-20279 5.4 - Medium - March 15, 2021

The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

XSS

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2

CVE-2021-20280 5.4 - Medium - March 15, 2021

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

XSS

It was possible for some users without permission to view other users' full names to do so

CVE-2021-20281 5.3 - Medium - March 15, 2021

It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Information Disclosure

When creating a user account

CVE-2021-20282 5.3 - Medium - March 15, 2021

When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

AuthZ

The web service responsible for fetching other users' enrolled courses did not validate

CVE-2021-20283 4.3 - Medium - March 15, 2021

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

AuthZ

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16

CVE-2021-20185 5.3 - Medium - January 28, 2021

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

Resource Exhaustion

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16

CVE-2021-20187 7.2 - High - January 28, 2021

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

Code Injection

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16

CVE-2021-20186 5.4 - Medium - January 28, 2021

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

XSS

It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7

CVE-2021-20184 4.3 - Medium - January 28, 2021

It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

Improper Validation of Integrity Check Value

It was found in Moodle before version 3.10.1

CVE-2021-20183 5.4 - Medium - January 28, 2021

It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.

XSS

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk

CVE-2020-25627 6.1 - Medium - December 09, 2020

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.

XSS

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title

CVE-2020-25631 6.1 - Medium - December 08, 2020

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.

XSS

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them

CVE-2020-25630 7.5 - High - December 08, 2020

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Resource Exhaustion

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically

CVE-2020-25629 8.8 - High - December 08, 2020

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Authorization

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk

CVE-2020-25628 6.1 - Medium - December 08, 2020

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

XSS

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden

CVE-2020-25703 5.3 - Medium - November 19, 2020

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

Information Disclosure

In Moodle, it was possible to include JavaScript when re-naming content bank items

CVE-2020-25702 6.1 - Medium - November 19, 2020

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

XSS

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable

CVE-2020-25701 5.3 - Medium - November 19, 2020

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

AuthZ

In moodle, some database module web services allowed students to add entries within groups they did not belong to

CVE-2020-25700 6.5 - Medium - November 19, 2020

In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

SQL Injection

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within

CVE-2020-25699 7.5 - High - November 19, 2020

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

AuthZ

Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course

CVE-2020-25698 7.5 - High - November 19, 2020

Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

A flaw was found in Moodle versions 3.8 before 3.8.3

CVE-2020-10738 8.8 - High - May 21, 2020

A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.

Improper Input Validation

A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier

CVE-2019-14880 9.1 - Critical - March 31, 2020

A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.

A vulnerability was found in moodle 3.7 before 3.7.3

CVE-2019-14881 6.1 - Medium - March 18, 2020

A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.

XSS

A vulnerability was found in Moodle 3.7 to 3.7.3

CVE-2019-14882 6.1 - Medium - March 18, 2020

A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.

Open Redirect

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3

CVE-2019-14883 5.3 - Medium - March 18, 2020

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.

AuthZ

A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible

CVE-2019-14884 6.1 - Medium - March 18, 2020

A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.

XSS

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

CVE-2020-1692 6.5 - Medium - February 17, 2020

Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.

Persistent XSS in /course/modedit.php of Moodle through 3.7.2

CVE-2019-18210 5.4 - Medium - February 11, 2020

Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."

XSS

A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9

CVE-2019-14879 5.4 - Medium - January 07, 2020

A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked (where applicable).

Improper Check for Dropped Privileges

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7

CVE-2019-10186 8.8 - High - July 31, 2019

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.

Session Riding

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7

CVE-2019-10187 4.3 - Medium - July 31, 2019

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

Authorization

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7

CVE-2019-10189 4.3 - Medium - July 31, 2019

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.

Authorization

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7

CVE-2019-10188 4.3 - Medium - July 31, 2019

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.

Authorization

A flaw was found in Moodle before versions 3.7, 3.6.4

CVE-2019-10154 7.5 - High - June 26, 2019

A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.

Authorization

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18

CVE-2019-10134 3.7 - Low - June 26, 2019

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18

CVE-2019-10133 6.1 - Medium - June 26, 2019

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.

Open Redirect

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17

CVE-2019-3847 4.8 - Medium - March 27, 2019

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

XSS

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8

CVE-2019-3849 8.8 - High - March 26, 2019

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

Permissions, Privileges, and Access Controls

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17

CVE-2019-3850 6.1 - Medium - March 26, 2019

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.

Open Redirect

A vulnerability was found in moodle before versions 3.6.3 and 3.5.5

CVE-2019-3851 4.3 - Medium - March 26, 2019

A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.

A vulnerability was found in moodle before version 3.6.3

CVE-2019-3852 4.3 - Medium - March 26, 2019

A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8

CVE-2019-3848 4.3 - Medium - March 26, 2019

A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)

AuthZ

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions

CVE-2019-3809 10 - Critical - March 25, 2019

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

XSPA

A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions

CVE-2019-3808 6.5 - Medium - March 25, 2019

A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

7PK - Security Features

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions

CVE-2019-3810 5.3 - Medium - March 25, 2019

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

XSS

Moodle 3.5.x before 3.5.4

CVE-2019-6970 7.5 - High - March 21, 2019

Moodle 3.5.x before 3.5.4 allows SSRF.

XSPA

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier

CVE-2018-16854 8.8 - High - November 26, 2018

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

Session Riding

moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered

CVE-2018-14631 6.1 - Medium - September 17, 2018

moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.

XSS

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution

CVE-2018-14630 8.8 - High - September 17, 2018

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Code Injection

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13

CVE-2018-10891 7.3 - High - July 10, 2018

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7

CVE-2018-10889 5.3 - Medium - July 10, 2018

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.

Insertion of Sensitive Information into Log File

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13

CVE-2018-10890 5.3 - Medium - July 10, 2018

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.

Information Disclosure

An issue was discovered in Moodle 3.x

CVE-2018-1137 8.1 - High - May 25, 2018

An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.

Improper Input Validation

An issue was discovered in Moodle 3.x

CVE-2018-1136 4.3 - Medium - May 25, 2018

An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.

XSS

An issue was discovered in Moodle 3.x

CVE-2018-1135 6.5 - Medium - May 25, 2018

An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL.

Information Disclosure

An issue was discovered in Moodle 3.x

CVE-2018-1134 6.5 - Medium - May 25, 2018

An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.

Improper Privilege Management

An issue was discovered in Moodle 3.x

CVE-2018-1133 8.8 - High - May 25, 2018

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

Code Injection

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4

CVE-2018-1082 8.1 - High - April 04, 2018

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

authentification

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions

CVE-2018-1081 5.3 - Medium - April 04, 2018

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.

Moodle 3.x has Server Side Request Forgery in the filepicker.

CVE-2018-1042 6.5 - Medium - January 22, 2018

Moodle 3.x has Server Side Request Forgery in the filepicker.

XSPA

In Moodle 3.x, there is XSS

CVE-2018-1045 5.4 - Medium - January 22, 2018

In Moodle 3.x, there is XSS via a calendar event name.

XSS

In Moodle 3.x, quiz web services

CVE-2018-1044 4.3 - Medium - January 22, 2018

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

Information Disclosure

In Moodle 3.x, the setting for blocked hosts list

CVE-2018-1043 6.5 - Medium - January 22, 2018

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

Moodle through 2.5.2

CVE-2013-3630 - November 01, 2013

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.

Code Injection

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2

CVE-2013-4341 - September 16, 2013

Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed.

XSS