Search for packages
| purl | pkg:composer/moodle/moodle@2.7.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ehh-qz6c-ykhp
Aliases: CVE-2014-3546 GHSA-4c5g-w3gf-rf4f |
Moodle allows attackers to obtain username and course information Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. |
Affected by 0 other vulnerabilities. |
|
VCID-1rar-m2g3-27ag
Aliases: CVE-2014-7833 GHSA-jq7x-gm9r-v8m7 |
Exposure of Sensitive Information to an Unauthorized Actor mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. |
Affected by 0 other vulnerabilities. |
|
VCID-1z6j-fs6f-eua1
Aliases: CVE-2015-5266 GHSA-454r-4cjv-vc9h |
Moodle allows attackers to obtain manager privileges The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-29yj-e9bd-queq
Aliases: CVE-2014-7837 GHSA-p3hj-cfhm-7g6v |
Moodle allows attackers to remove wiki pages mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki. |
Affected by 0 other vulnerabilities. |
|
VCID-2dxb-v1af-jbax
Aliases: CVE-2017-7491 |
Cross-Site Request Forgery (CSRF) A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-2y3m-yuaj-vkf2
Aliases: CVE-2015-2273 GHSA-w77v-xpxr-c6pv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-37j1-ym2f-1fbc
Aliases: CVE-2015-3272 GHSA-2hw2-h3mf-c2j9 |
Moodle open redirect vulnerability Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-37pj-u3gh-n7fd
Aliases: CVE-2016-2190 |
Insertion of Sensitive Information into Log File Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-3xwm-hqap-8bct
Aliases: CVE-2014-7848 GHSA-47cw-whh9-j2fq |
Exposure of Sensitive Information to an Unauthorized Actor lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. |
Affected by 0 other vulnerabilities. |
|
VCID-46jw-xjbu-b3f1
Aliases: CVE-2015-0212 GHSA-jj3j-mhgc-g4m4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4cx7-eaax-8uhr
Aliases: CVE-2015-5337 GHSA-2hw6-6rgf-726v |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-4kq5-ctsv-eka8
Aliases: CVE-2016-3733 |
Improper Access Control The "restore teacher" feature in Moodle allows remote authenticated users to overwrite the course id number. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-5c29-qn3p-3yde
Aliases: CVE-2014-7846 GHSA-468q-9cmp-76wc |
Moodle does not consider the moodle/tag:edit capability before adding a tag tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. |
Affected by 0 other vulnerabilities. |
|
VCID-5nfq-4syg-87da
Aliases: CVE-2015-0218 GHSA-5jph-mvfm-r27p |
Cross-Site Request Forgery (CSRF) Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5rbf-4dz3-2qdz
Aliases: CVE-2017-7489 |
Improper Privilege Management Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-5vx4-qtb2-fqe9
Aliases: CVE-2015-2270 GHSA-fp4h-j22r-vwcv |
Moodle allows attackers to obtain sensitive course information lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-62yh-cpfr-9bb1
Aliases: CVE-2015-3180 GHSA-688p-pgj4-77hh |
Exposure of Sensitive Information to an Unauthorized Actor lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8cc1-hbzm-87bx
Aliases: CVE-2016-3732 GHSA-5282-96ff-xx3h |
Exposure of Sensitive Information to an Unauthorized Actor The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | There are no reported fixed by versions. |
|
VCID-8q4n-d565-kfbn
Aliases: CVE-2014-7838 GHSA-43r4-vm25-qm78 |
Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php. |
Affected by 0 other vulnerabilities. |
|
VCID-95mq-m2jz-a3ab
Aliases: CVE-2015-0217 GHSA-p497-37fc-xvvc |
Moodle allows attackers to cause a denial of service filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9z66-z9af-17f7
Aliases: CVE-2015-0214 GHSA-4jm2-c9jr-6prf |
Moodle allows attackers to bypass a messaging-disabled setting message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a3pu-x51u-1udr
Aliases: CVE-2015-0215 GHSA-fr9m-pjmm-qx9f |
Exposure of Sensitive Information to an Unauthorized Actor calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-an53-nu91-k3d7
Aliases: CVE-2016-2152 |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in `auth/db/auth.php` in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-aqc8-tmeg-9fdd
Aliases: CVE-2015-0213 GHSA-hhq7-jf2p-hw9c |
Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary module in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allow remote attackers to hijack the authentication of unspecified victims. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b9ej-hx7z-1bb8
Aliases: CVE-2015-5340 GHSA-mmvj-j7hq-rx85 |
Moodle sensitive information disclosure Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) `badges/overview.php` or (2) `badges/view.php`. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-bfmx-cwap-8yhp
Aliases: CVE-2014-7847 GHSA-6vjg-2q57-rgfw |
Moodle allows attackers to cause a denial of service iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. |
Affected by 0 other vulnerabilities. |
|
VCID-czph-uxwr-5uge
Aliases: CVE-2014-3547 GHSA-hwjv-mc78-cccj |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge. |
Affected by 0 other vulnerabilities. |
|
VCID-d3yp-gq4c-vyf8
Aliases: CVE-2015-2271 GHSA-v3wp-35g3-m9mm |
Moodle does not consider the moodle/tag:flag capability tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dhku-uah4-ykh8
Aliases: CVE-2017-2641 |
SQL Injection An SQL injection can occur via user preferences. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ea5s-xphb-6ub7
Aliases: CVE-2014-3542 GHSA-xmwv-mqh8-4xgw |
Exposure of Sensitive Information to an Unauthorized Actor mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Affected by 0 other vulnerabilities. |
|
VCID-eaqp-7abt-6kg9
Aliases: CVE-2016-2159 |
Improper Access Control The `save_submission` function in `mod/assign/externallib.php` in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-emu7-jhv2-zqb8
Aliases: CVE-2015-3274 GHSA-f7qm-q26p-6rr2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to inject arbitrary web script or HTML by leveraging absence of an external_format_text call in a web service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-evke-m8nn-6ua3
Aliases: CVE-2015-5264 GHSA-mm9q-3847-m48x |
Moodle allows attackers to enter additional answer attempts The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fumj-9pun-zfc5
Aliases: CVE-2014-7835 GHSA-vrf6-q7qj-69v5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. |
Affected by 0 other vulnerabilities. |
|
VCID-g4hn-yz26-1beb
Aliases: CVE-2015-3179 GHSA-4ppg-2mx6-fqx9 |
Moodle allows attackers to bypass intended login restrictions login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gvan-87dt-b7fp
Aliases: CVE-2015-3174 GHSA-6r7x-6q98-qcqp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h8xn-n98n-qqdv
Aliases: CVE-2014-3543 GHSA-27j2-c838-c3qg |
Exposure of Sensitive Information to an Unauthorized Actor mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. |
Affected by 0 other vulnerabilities. |
|
VCID-hbky-xx53-vkct
Aliases: CVE-2015-2269 GHSA-cp39-43xr-2wrp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hck4-emsr-q7dc
Aliases: CVE-2014-3617 GHSA-p5j7-26wj-423j |
Moodle allows discovery of an author's username The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. |
Affected by 1 other vulnerability. |
|
VCID-j11s-2mhg-pfdn
Aliases: CVE-2015-2267 GHSA-cm4r-58pj-h2ph |
Improper Access Control mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k6pw-51st-b3d2
Aliases: CVE-2016-2153 |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `advanced-search` feature in `mod_data` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-kgvw-uxf4-wbc1
Aliases: CVE-2016-3734 |
Cross-Site Request Forgery (CSRF) A Cross-site request forgery (CSRF) vulnerability in `markposts.php` in Moodle allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-krn6-pwk5-ake2
Aliases: CVE-2014-9060 GHSA-c87j-9rrq-h3j8 |
Improper Input Validation The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php. |
Affected by 0 other vulnerabilities. |
|
VCID-kzwd-2e6n-fkbm
Aliases: CVE-2014-7836 GHSA-wpq5-q3mj-8f3r |
Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. |
Affected by 0 other vulnerabilities. |
|
VCID-n9uc-b76m-8fbs
Aliases: CVE-2015-3181 GHSA-622h-cjgg-5mx6 |
Moodle allows attackers to bypass file-management restrictions files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nfdb-m7rg-47ca
Aliases: CVE-2015-2266 GHSA-35pr-gqm6-r366 |
Exposure of Sensitive Information to an Unauthorized Actor message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qxyw-7hnt-hqd6
Aliases: CVE-2014-3545 GHSA-3m99-h3hp-w9j7 |
Improper Control of Generation of Code ('Code Injection') Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. |
Affected by 0 other vulnerabilities. |
|
VCID-r3f7-9paf-83ht
Aliases: CVE-2015-1493 GHSA-gphj-63h8-r9vq |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r88h-mteg-yka9
Aliases: CVE-2014-3541 GHSA-fccf-p8fx-vjj4 |
Improper Control of Generation of Code ('Code Injection') The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on. |
Affected by 0 other vulnerabilities. |
|
VCID-rdfn-52p2-afa7
Aliases: CVE-2014-7845 GHSA-9v64-447r-wch6 |
Moodle Temporary Passwords are Brute Force-able The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. |
Affected by 0 other vulnerabilities. |
|
VCID-rscq-xx52-2ua8
Aliases: CVE-2015-2268 GHSA-36cm-vrqh-8p98 |
Moodle allows attackers to cause a denial of service filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s3bw-w61k-eqhy
Aliases: CVE-2015-3176 GHSA-fqrg-vmvj-jv3x |
Exposure of Sensitive Information to an Unauthorized Actor The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s3ue-e5h8-f3dy
Aliases: CVE-2016-3729 |
Improper Access Control The user editing form in Moodle allows remote authenticated users to edit profile fields locked by the administrator. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-s5cy-eva4-wbaf
Aliases: CVE-2014-3551 GHSA-m8f5-9wg8-2c3h |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. |
Affected by 0 other vulnerabilities. |
|
VCID-tmwc-f872-mufw
Aliases: CVE-2015-2272 GHSA-5659-g9p4-354f |
Moodle allows attackers to bypass a forced-password-change requirement login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ucg8-htfc-2bhn
Aliases: CVE-2014-3544 GHSA-c9jp-244j-vh78 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. |
Affected by 0 other vulnerabilities. |
|
VCID-uptz-tj66-7yfk
Aliases: CVE-2015-3175 GHSA-h798-h7ff-93xv |
Moodle Arbitrary Redirect Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-uvgt-7m5a-xkdc
Aliases: CVE-2014-9059 GHSA-crcq-pw8h-9xwf |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. |
Affected by 0 other vulnerabilities. |
|
VCID-v4qm-48kk-pfaz
Aliases: CVE-2014-3553 GHSA-mg69-5q59-8jcg |
Moodle does not enforce the moodle/site:accessallgroups capability requirement mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. |
Affected by 0 other vulnerabilities. |
|
VCID-v54t-5thx-1beu
Aliases: CVE-2016-8642 GHSA-x32v-7qw8-cpq8 |
Improper Access Control In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-v6ha-ekxw-7bfr
Aliases: CVE-2015-3275 GHSA-6922-5v25-p8jg |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allow remote attackers to inject arbitrary web script or HTML via a crafted organization name to (1) mod/scorm/player.php or (2) mod/scorm/prereqs.php. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v7zm-cw8w-6yf8
Aliases: CVE-2014-7834 GHSA-557f-2hv4-7jjm |
Moodle does not verify group permissions mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. |
Affected by 0 other vulnerabilities. |
|
VCID-vda3-4fgr-gfbw
Aliases: CVE-2014-7832 GHSA-mphj-h2fc-62x3 |
Moodle allows attackers to bypass the mod/lti:view capability requirement mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance. |
Affected by 0 other vulnerabilities. |
|
VCID-vs2j-b4qg-nbgu
Aliases: CVE-2014-3548 GHSA-f66h-6mj2-rwj2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog. |
Affected by 0 other vulnerabilities. |
|
VCID-vtq4-fpr8-hudb
Aliases: CVE-2017-7490 |
Exposure of Resource to Wrong Sphere In Moodle, searching of arbitrary blogs is possible because a capability check is missing. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-wavt-rrws-3yhs
Aliases: CVE-2015-3178 GHSA-9fmw-m4qx-6cq8 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wawr-t9dc-33fj
Aliases: CVE-2014-7831 GHSA-59j6-8g7w-prf7 |
Exposure of Sensitive Information to an Unauthorized Actor lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. |
Affected by 0 other vulnerabilities. |
|
VCID-xmm4-zw49-3feh
Aliases: CVE-2016-0724 |
Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-xnmk-jah2-ufce
Aliases: CVE-2014-7830 GHSA-j4mr-vc54-h5pc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. |
Affected by 0 other vulnerabilities. |
|
VCID-xy2y-yxfu-xfgm
Aliases: CVE-2015-5265 GHSA-44xp-wj24-9xxj |
Moodle allows attackers to delete files The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y2vh-7r7h-9ugu
Aliases: CVE-2015-0211 GHSA-frhc-9hwc-x7j3 |
Exposure of Sensitive Information to an Unauthorized Actor mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-qpu2-8paz-7ydv | Exposure of Sensitive Information to an Unauthorized Actor The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. |
CVE-2014-0215
GHSA-2fmv-j5xj-4fmq |