Search for packages
| purl | pkg:composer/moodle/moodle@2.5.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hbky-xx53-vkct
Aliases: CVE-2015-2269 GHSA-cp39-43xr-2wrp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-uptz-tj66-7yfk
Aliases: CVE-2015-3175 GHSA-h798-h7ff-93xv |
Moodle Arbitrary Redirect Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. |
Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1rar-m2g3-27ag | Exposure of Sensitive Information to an Unauthorized Actor mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. |
CVE-2014-7833
GHSA-jq7x-gm9r-v8m7 |
| VCID-29yj-e9bd-queq | Moodle allows attackers to remove wiki pages mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki. |
CVE-2014-7837
GHSA-p3hj-cfhm-7g6v |
| VCID-5c29-qn3p-3yde | Moodle does not consider the moodle/tag:edit capability before adding a tag tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. |
CVE-2014-7846
GHSA-468q-9cmp-76wc |
| VCID-8q4n-d565-kfbn | Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php. |
CVE-2014-7838
GHSA-43r4-vm25-qm78 |
| VCID-bfmx-cwap-8yhp | Moodle allows attackers to cause a denial of service iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. |
CVE-2014-7847
GHSA-6vjg-2q57-rgfw |
| VCID-krn6-pwk5-ake2 | Improper Input Validation The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php. |
CVE-2014-9060
GHSA-c87j-9rrq-h3j8 |
| VCID-kzwd-2e6n-fkbm | Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. |
CVE-2014-7836
GHSA-wpq5-q3mj-8f3r |
| VCID-rdfn-52p2-afa7 | Moodle Temporary Passwords are Brute Force-able The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. |
CVE-2014-7845
GHSA-9v64-447r-wch6 |
| VCID-uvgt-7m5a-xkdc | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. |
CVE-2014-9059
GHSA-crcq-pw8h-9xwf |
| VCID-vda3-4fgr-gfbw | Moodle allows attackers to bypass the mod/lti:view capability requirement mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance. |
CVE-2014-7832
GHSA-mphj-h2fc-62x3 |
| VCID-xnmk-jah2-ufce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. |
CVE-2014-7830
GHSA-j4mr-vc54-h5pc |