Search for packages
| purl | pkg:composer/moodle/moodle@2.7.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4kq5-ctsv-eka8
Aliases: CVE-2016-3733 |
Improper Access Control The "restore teacher" feature in Moodle allows remote authenticated users to overwrite the course id number. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-8cc1-hbzm-87bx
Aliases: CVE-2016-3732 GHSA-5282-96ff-xx3h |
Exposure of Sensitive Information to an Unauthorized Actor The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | There are no reported fixed by versions. |
|
VCID-kgvw-uxf4-wbc1
Aliases: CVE-2016-3734 |
Cross-Site Request Forgery (CSRF) A Cross-site request forgery (CSRF) vulnerability in `markposts.php` in Moodle allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-s3ue-e5h8-f3dy
Aliases: CVE-2016-3729 |
Improper Access Control The user editing form in Moodle allows remote authenticated users to edit profile fields locked by the administrator. |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-37pj-u3gh-n7fd | Insertion of Sensitive Information into Log File Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
CVE-2016-2190
|
| VCID-5hx1-9xbg-g3fn | Exposure of Sensitive Information to an Unauthorized Actor calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request. |
CVE-2016-2156
GHSA-h8vc-v44p-5r2q |
| VCID-an53-nu91-k3d7 | Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in `auth/db/auth.php` in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. |
CVE-2016-2152
|
| VCID-eaqp-7abt-6kg9 | Improper Access Control The `save_submission` function in `mod/assign/externallib.php` in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. |
CVE-2016-2159
|
| VCID-k6pw-51st-b3d2 | Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `advanced-search` feature in `mod_data` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL. |
CVE-2016-2153
|
| VCID-ryws-mr9v-7yfp | Exposure of Sensitive Information to an Unauthorized Actor lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request. |
CVE-2016-2158
GHSA-m882-j7gq-v9p7 |
| VCID-sa6m-ecv7-x3ew | Cross-Site Request Forgery (CSRF) Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins. |
CVE-2016-2157
GHSA-f5pm-c4cw-563p |
| VCID-ujja-hfkh-wkez | Exposure of Sensitive Information to an Unauthorized Actor user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list. |
CVE-2016-2151
GHSA-r3fc-hx6q-g6cq |