Total
605 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-4285 | 1 Moodle | 1 Moodle | 2023-11-07 | 5.5 MEDIUM | N/A |
| The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role. | |||||
| CVE-2004-2232 | 1 Moodle | 1 Moodle | 2023-11-07 | 7.5 HIGH | N/A |
| SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements. | |||||
| CVE-2022-0985 | 1 Moodle | 1 Moodle | 2023-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | |||||
| CVE-2021-36393 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 9.8 CRITICAL |
| In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. | |||||
| CVE-2021-36392 | 1 Moodle | 1 Moodle | 2023-03-13 | N/A | 9.8 CRITICAL |
| In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. | |||||
| CVE-2023-23922 | 1 Moodle | 1 Moodle | 2023-02-28 | N/A | 6.1 MEDIUM |
| The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2023-23921 | 1 Moodle | 1 Moodle | 2023-02-28 | N/A | 6.1 MEDIUM |
| The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2012-3394 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2012-2354 | 1 Moodle | 1 Moodle | 2023-02-13 | 4.0 MEDIUM | N/A |
| Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL. | |||||
| CVE-2012-2357 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credentials by sniffing the network. | |||||
| CVE-2012-2364 | 1 Moodle | 1 Moodle | 2023-02-13 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. | |||||
| CVE-2012-3390 | 1 Moodle | 1 Moodle | 2023-02-13 | 3.5 LOW | N/A |
| lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly restrict file access after a block has been hidden, which allows remote authenticated users to obtain sensitive information by reading a file that is embedded in a block. | |||||
| CVE-2011-4300 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file. | |||||
| CVE-2011-4301 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| The MoodleQuickForm class in the Forms Library in lib/formslib.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields. | |||||
| CVE-2011-4309 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to bypass intended access restrictions and perform global searches by leveraging the guest role and making a direct request to a URL. | |||||
| CVE-2011-4288 | 1 Moodle | 1 Moodle | 2023-02-13 | 4.0 MEDIUM | N/A |
| Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role. | |||||
| CVE-2011-4290 | 1 Moodle | 1 Moodle | 2023-02-13 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in lib/weblib.php in Moodle 1.9.x before 1.9.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to URL encoding. | |||||
| CVE-2012-0796 | 1 Moodle | 1 Moodle | 2023-02-13 | 4.0 MEDIUM | N/A |
| class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header. | |||||
| CVE-2012-0800 | 1 Moodle | 1 Moodle | 2023-02-13 | 2.1 LOW | N/A |
| The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device. | |||||
| CVE-2012-0794 | 1 Moodle | 1 Moodle | 2023-02-13 | 5.0 MEDIUM | N/A |
| The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution. | |||||