VulnerableCode Package Details - pkg:composer/moodle/moodle@2.5.7

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1ehh-qz6c-ykhp	Moodle allows attackers to obtain username and course information Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.	CVE-2014-3546 GHSA-4c5g-w3gf-rf4f
VCID-czph-uxwr-5uge	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge.	CVE-2014-3547 GHSA-hwjv-mc78-cccj
VCID-ea5s-xphb-6ub7	Exposure of Sensitive Information to an Unauthorized Actor mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	CVE-2014-3542 GHSA-xmwv-mqh8-4xgw
VCID-h8xn-n98n-qqdv	Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.	CVE-2014-3543 GHSA-27j2-c838-c3qg
VCID-qxyw-7hnt-hqd6	Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.	CVE-2014-3545 GHSA-3m99-h3hp-w9j7
VCID-r88h-mteg-yka9	Improper Control of Generation of Code ('Code Injection') The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.	CVE-2014-3541 GHSA-fccf-p8fx-vjj4
VCID-s5cy-eva4-wbaf	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.	CVE-2014-3551 GHSA-m8f5-9wg8-2c3h
VCID-ucg8-htfc-2bhn	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.	CVE-2014-3544 GHSA-c9jp-244j-vh78
VCID-v4qm-48kk-pfaz	Moodle does not enforce the moodle/site:accessallgroups capability requirement mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.	CVE-2014-3553 GHSA-mg69-5q59-8jcg
VCID-vs2j-b4qg-nbgu	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.	CVE-2014-3548 GHSA-f66h-6mj2-rwj2

Vulnerability

Summary

Aliases

VCID-1ehh-qz6c-ykhp

Moodle allows attackers to obtain username and course information Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.

CVE-2014-3546
GHSA-4c5g-w3gf-rf4f

VCID-czph-uxwr-5uge

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge.

CVE-2014-3547
GHSA-hwjv-mc78-cccj

VCID-ea5s-xphb-6ub7

Exposure of Sensitive Information to an Unauthorized Actor mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVE-2014-3542
GHSA-xmwv-mqh8-4xgw

VCID-h8xn-n98n-qqdv

Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.

CVE-2014-3543
GHSA-27j2-c838-c3qg

VCID-qxyw-7hnt-hqd6

Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.

CVE-2014-3545
GHSA-3m99-h3hp-w9j7

VCID-r88h-mteg-yka9

Improper Control of Generation of Code ('Code Injection') The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3541
GHSA-fccf-p8fx-vjj4

VCID-s5cy-eva4-wbaf

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.

CVE-2014-3551
GHSA-m8f5-9wg8-2c3h

VCID-ucg8-htfc-2bhn

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

CVE-2014-3544
GHSA-c9jp-244j-vh78

VCID-v4qm-48kk-pfaz

Moodle does not enforce the moodle/site:accessallgroups capability requirement mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.

CVE-2014-3553
GHSA-mg69-5q59-8jcg

VCID-vs2j-b4qg-nbgu

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.

CVE-2014-3548
GHSA-f66h-6mj2-rwj2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:43:08.185830+00:00	GitLab Importer	Fixing	VCID-vs2j-b4qg-nbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3548.yml	38.6.0
2026-06-02T04:43:07.489197+00:00	GitLab Importer	Fixing	VCID-qxyw-7hnt-hqd6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3545.yml	38.6.0
2026-06-02T04:42:54.857398+00:00	GitLab Importer	Fixing	VCID-v4qm-48kk-pfaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3553.yml	38.6.0
2026-06-02T04:42:47.888188+00:00	GitLab Importer	Fixing	VCID-1ehh-qz6c-ykhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3546.yml	38.6.0
2026-06-02T04:42:43.656973+00:00	GitLab Importer	Fixing	VCID-ucg8-htfc-2bhn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3544.yml	38.6.0
2026-06-02T04:42:40.277427+00:00	GitLab Importer	Fixing	VCID-ea5s-xphb-6ub7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3542.yml	38.6.0
2026-06-02T04:42:39.231904+00:00	GitLab Importer	Fixing	VCID-s5cy-eva4-wbaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3551.yml	38.6.0
2026-06-02T04:42:38.929770+00:00	GitLab Importer	Fixing	VCID-r88h-mteg-yka9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3541.yml	38.6.0
2026-06-02T04:42:35.218370+00:00	GitLab Importer	Fixing	VCID-h8xn-n98n-qqdv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3543.yml	38.6.0
2026-06-02T04:42:30.004018+00:00	GitLab Importer	Fixing	VCID-czph-uxwr-5uge	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2014-3547.yml	38.6.0