Search for packages
| purl | pkg:composer/moodle/moodle@2.4.10 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2s6b-tp6p-gue1
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Cross-Site Request Forgery (CSRF) A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. |
Affected by 18 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-37pj-u3gh-n7fd
Aliases: CVE-2016-2190 GHSA-r9pc-g29w-f86j |
Insertion of Sensitive Information into Log File Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
Affected by 27 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-65y9-9ur2-pugc
Aliases: CVE-2017-2576 GHSA-cjrf-xg77-chpw |
Improper Input Validation There is incorrect sanitization of attributes in forums. |
Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 44 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-83kb-4mk9-t7ge
Aliases: CVE-2017-15110 GHSA-rjh8-w8jg-xwq5 |
Information Exposure Students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. |
Affected by 19 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-a6pb-47tu-afcg
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Information Exposure Moodle is vulnerable to information exposure of service tokens for users enrolled in the same course. |
Affected by 17 other vulnerabilities. |
|
VCID-ajkr-fxa1-mkhk
Aliases: CVE-2018-1045 GHSA-595j-wpfg-23w4 |
Cross-site Scripting Moodle is vulnerable to XSS via a calendar event name. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-an53-nu91-k3d7
Aliases: CVE-2016-2152 GHSA-6mxm-wpqv-675h |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in `auth/db/auth.php` in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. |
Affected by 27 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-bjnq-q2nd-1khp
Aliases: CVE-2018-16854 GHSA-xj5f-qv37-r9jc |
Cross-Site Request Forgery (CSRF) The login form is not protected by a token to prevent login cross-site request forgery. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-duna-st9c-mqbk
Aliases: CVE-2018-1044 GHSA-332g-xh34-5c96 |
Information Exposure In Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-eaqp-7abt-6kg9
Aliases: CVE-2016-2159 GHSA-cw72-69wq-f9f2 |
Improper Access Control The `save_submission` function in `mod/assign/externallib.php` in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. |
Affected by 27 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-eu27-a3px-87ed
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Improper Access Control Teachers in an assignment group could modify group overrides for other groups in the same assignment. |
Affected by 18 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-fsex-f512-pudv
Aliases: CVE-2016-5013 GHSA-2hh3-jmv8-5fmx |
Injection Vulnerability In Moodle, text injection can occur in email headers, potentially leading to outbound spam. |
Affected by 30 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-h8xn-n98n-qqdv
Aliases: CVE-2014-3543 GHSA-27j2-c838-c3qg |
Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. |
Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-jcq6-btgz-fkf6
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Cross-site Scripting It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-k1bh-ymgt-e7cd
Aliases: CVE-2016-9187 GHSA-58fm-v4pr-jh8p |
Unrestricted Upload of File with Dangerous Type Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. |
Affected by 46 other vulnerabilities. |
|
VCID-k6pw-51st-b3d2
Aliases: CVE-2016-2153 GHSA-mj85-3hqq-r6r9 |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `advanced-search` feature in `mod_data` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL. |
Affected by 27 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-k73h-z6j8-gkgz
Aliases: CVE-2019-3810 GHSA-wm4w-8vc6-2j4h |
Information Exposure The `/userpix/` page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-m3np-aebb-8qaa
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 13 other vulnerabilities. |
|
VCID-m4zv-e3dn-budf
Aliases: CVE-2018-1081 GHSA-v9xq-vh72-chr4 |
Improper Access Control Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
Affected by 19 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-mkfz-e1ft-2bcw
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Code Injection It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-nntc-dsz1-e3fp
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Cross-site Scripting It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-qhv1-wgpm-7fh6
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 13 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-qxyw-7hnt-hqd6
Aliases: CVE-2014-3545 GHSA-3m99-h3hp-w9j7 |
Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. |
Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-r6kn-b963-eqge
Aliases: CVE-2019-3850 GHSA-3fj7-9j8m-7r8g |
URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-s6uu-335k-yfbc
Aliases: CVE-2019-3847 GHSA-qrcj-6fjw-3h9h |
Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-vb67-yux5-ayhf
Aliases: CVE-2016-7038 GHSA-2phx-w35g-x9vm |
Weak Password Recovery Mechanism for Forgotten Password In Moodle, web service tokens are not invalidated when the user password is changed or forced to be changed. |
Affected by 30 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-vfp6-4h8n-bkax
Aliases: CVE-2018-14630 GHSA-c3pr-h96w-2jjg |
Code Injection Moodle is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy `drag and drop into text` (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. |
Affected by 19 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-w9ca-exua-g7ar
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Improper Access Control Teachers in a quiz group could modify group overrides for other groups in the same quiz. |
Affected by 18 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-x7rg-rsb5-pya7
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Improper Access Control Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. |
Affected by 18 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-xmm4-zw49-3feh
Aliases: CVE-2016-0724 GHSA-hjrj-7wcj-7j3c |
Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request. |
Affected by 27 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-y8up-cqtu-jkdw
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Cross-site Scripting Persistent XSS in `/course/modedit.php` of Moodle allows authenticated users (Teacher) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the `introeditor[text]` parameter. |
Affected by 14 other vulnerabilities. |
|
VCID-yghg-775s-vber
Aliases: CVE-2018-1042 GHSA-qqjv-mc2v-p7mc |
Server-Side Request Forgery (SSRF) Moodle has Server Side Request Forgery in the `filepicker`. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-zjrq-np3y-hua5
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 13 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zwkk-zazw-6fgg
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Improper Validation of Integrity Check Value It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4v57-bu85-syhr | Moodle does not properly restrict file access The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
CVE-2014-0216
GHSA-8rc7-4qfv-4484 |
| VCID-7g7m-bu5q-gbcx | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CVE-2014-0218
GHSA-ch68-5r37-p7c3 |
| VCID-j3t3-svwb-p7bn | Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests. |
CVE-2014-0213
GHSA-h75f-hjcr-cvh8 |
| VCID-qpu2-8paz-7ydv | Exposure of Sensitive Information to an Unauthorized Actor The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. |
CVE-2014-0215
GHSA-2fmv-j5xj-4fmq |
| VCID-vwyj-z4gf-8fg5 | Improper Authentication login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack. |
CVE-2014-0214
GHSA-48rq-vj58-2mh6 |