VulnerableCode Package Details - pkg:composer/moodle/moodle@2.5.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-h8xn-n98n-qqdv Aliases: CVE-2014-3543 GHSA-27j2-c838-c3qg	Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.	2.5.7 Affected by 0 other vulnerabilities. 2.6.4 Affected by 0 other vulnerabilities. 2.7.1 Affected by 0 other vulnerabilities.
VCID-qxyw-7hnt-hqd6 Aliases: CVE-2014-3545 GHSA-3m99-h3hp-w9j7	Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.	2.5.7 Affected by 0 other vulnerabilities. 2.6.4 Affected by 0 other vulnerabilities. 2.7.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-h8xn-n98n-qqdv
Aliases:
CVE-2014-3543
GHSA-27j2-c838-c3qg

Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.

2.5.7
Affected by 0 other vulnerabilities.

2.6.4
Affected by 0 other vulnerabilities.

2.7.1
Affected by 0 other vulnerabilities.

VCID-qxyw-7hnt-hqd6
Aliases:
CVE-2014-3545
GHSA-3m99-h3hp-w9j7

Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

2.5.7
Affected by 0 other vulnerabilities.

2.6.4
Affected by 0 other vulnerabilities.

2.7.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4v57-bu85-syhr	Moodle does not properly restrict file access The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.	CVE-2014-0216 GHSA-8rc7-4qfv-4484
VCID-7g7m-bu5q-gbcx	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.	CVE-2014-0218 GHSA-ch68-5r37-p7c3
VCID-j3t3-svwb-p7bn	Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests.	CVE-2014-0213 GHSA-h75f-hjcr-cvh8
VCID-qpu2-8paz-7ydv	Exposure of Sensitive Information to an Unauthorized Actor The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source.	CVE-2014-0215 GHSA-2fmv-j5xj-4fmq
VCID-vwyj-z4gf-8fg5	Improper Authentication login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.	CVE-2014-0214 GHSA-48rq-vj58-2mh6

Vulnerability

Summary

Aliases

VCID-4v57-bu85-syhr

Moodle does not properly restrict file access The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.

CVE-2014-0216
GHSA-8rc7-4qfv-4484

VCID-7g7m-bu5q-gbcx

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-0218
GHSA-ch68-5r37-p7c3

VCID-j3t3-svwb-p7bn

Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests.

CVE-2014-0213
GHSA-h75f-hjcr-cvh8

VCID-qpu2-8paz-7ydv

Exposure of Sensitive Information to an Unauthorized Actor The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source.

CVE-2014-0215
GHSA-2fmv-j5xj-4fmq

VCID-vwyj-z4gf-8fg5

Improper Authentication login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

CVE-2014-0214
GHSA-48rq-vj58-2mh6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:43:07.402550+00:00	GitLab Importer	Affected by	VCID-qxyw-7hnt-hqd6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3545.yml	38.6.0
2026-06-02T04:43:05.666522+00:00	GitLab Importer	Fixing	VCID-j3t3-svwb-p7bn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-0213.yml	38.6.0
2026-06-02T04:42:57.767480+00:00	GitLab Importer	Fixing	VCID-7g7m-bu5q-gbcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-0218.yml	38.6.0
2026-06-02T04:42:55.217798+00:00	GitLab Importer	Fixing	VCID-4v57-bu85-syhr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-0216.yml	38.6.0
2026-06-02T04:42:46.130942+00:00	GitLab Importer	Fixing	VCID-qpu2-8paz-7ydv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-0215.yml	38.6.0
2026-06-02T04:42:39.014517+00:00	GitLab Importer	Fixing	VCID-vwyj-z4gf-8fg5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-0214.yml	38.6.0
2026-06-02T04:42:35.132831+00:00	GitLab Importer	Affected by	VCID-h8xn-n98n-qqdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3543.yml	38.6.0