Search for packages
| purl | pkg:composer/moodle/moodle@2.7.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2y3m-yuaj-vkf2 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response. |
CVE-2015-2273
GHSA-w77v-xpxr-c6pv |
| VCID-5vx4-qtb2-fqe9 | Moodle allows attackers to obtain sensitive course information lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. |
CVE-2015-2270
GHSA-fp4h-j22r-vwcv |
| VCID-d3yp-gq4c-vyf8 | Moodle does not consider the moodle/tag:flag capability tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature. |
CVE-2015-2271
GHSA-v3wp-35g3-m9mm |
| VCID-hbky-xx53-vkct | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. |
CVE-2015-2269
GHSA-cp39-43xr-2wrp |
| VCID-j11s-2mhg-pfdn | Improper Access Control mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. |
CVE-2015-2267
GHSA-cm4r-58pj-h2ph |
| VCID-nfdb-m7rg-47ca | Exposure of Sensitive Information to an Unauthorized Actor message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. |
CVE-2015-2266
GHSA-35pr-gqm6-r366 |
| VCID-rscq-xx52-2ua8 | Moodle allows attackers to cause a denial of service filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. |
CVE-2015-2268
GHSA-36cm-vrqh-8p98 |
| VCID-tmwc-f872-mufw | Moodle allows attackers to bypass a forced-password-change requirement login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token. |
CVE-2015-2272
GHSA-5659-g9p4-354f |