Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5340 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php. | |||||
| CVE-2016-3731 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. | |||||
| CVE-2016-2156 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request. | |||||
| CVE-2015-0215 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. | |||||
| CVE-2016-2158 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request. | |||||
| CVE-2016-5014 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. | |||||
| CVE-2015-3176 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. | |||||
| CVE-2014-3543 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.3 MEDIUM | N/A |
| mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. | |||||
| CVE-2014-7831 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. | |||||
| CVE-2015-5341 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors. | |||||
| CVE-2016-0724 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request. | |||||
| CVE-2016-2154 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule. | |||||
| CVE-2015-3180 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. | |||||
| CVE-2015-5267 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |||||
| CVE-2015-5339 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request. | |||||
| CVE-2012-5473 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. | |||||
| CVE-2017-7531 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Moodle 3.3, the course overview block reveals activities in hidden courses. | |||||
| CVE-2013-2243 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. | |||||
| CVE-2013-1832 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. | |||||
| CVE-2012-4407 | 1 Moodle | 1 Moodle | 2020-12-01 | 5.0 MEDIUM | N/A |
| lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. | |||||