Search for packages
| purl | pkg:composer/moodle/moodle@2.7.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2dxb-v1af-jbax
Aliases: CVE-2017-7491 GHSA-3hmr-948v-5qgq |
Cross-Site Request Forgery (CSRF) A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-2s6b-tp6p-gue1
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Cross-Site Request Forgery (CSRF) A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-37pj-u3gh-n7fd
Aliases: CVE-2016-2190 GHSA-r9pc-g29w-f86j |
Insertion of Sensitive Information into Log File Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-4kq5-ctsv-eka8
Aliases: CVE-2016-3733 GHSA-gr8j-qm8r-rfgg |
Improper Access Control The "restore teacher" feature in Moodle allows remote authenticated users to overwrite the course id number. |
Affected by 31 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-5rbf-4dz3-2qdz
Aliases: CVE-2017-7489 GHSA-m34m-fgh4-v7cx |
Improper Privilege Management Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-65y9-9ur2-pugc
Aliases: CVE-2017-2576 GHSA-cjrf-xg77-chpw |
Improper Input Validation There is incorrect sanitization of attributes in forums. |
Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 44 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-83kb-4mk9-t7ge
Aliases: CVE-2017-15110 GHSA-rjh8-w8jg-xwq5 |
Information Exposure Students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. |
Affected by 19 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-a6pb-47tu-afcg
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Information Exposure Moodle is vulnerable to information exposure of service tokens for users enrolled in the same course. |
Affected by 17 other vulnerabilities. |
|
VCID-ajkr-fxa1-mkhk
Aliases: CVE-2018-1045 GHSA-595j-wpfg-23w4 |
Cross-site Scripting Moodle is vulnerable to XSS via a calendar event name. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-an53-nu91-k3d7
Aliases: CVE-2016-2152 GHSA-6mxm-wpqv-675h |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in `auth/db/auth.php` in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-bjnq-q2nd-1khp
Aliases: CVE-2018-16854 GHSA-xj5f-qv37-r9jc |
Cross-Site Request Forgery (CSRF) The login form is not protected by a token to prevent login cross-site request forgery. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-dhku-uah4-ykh8
Aliases: CVE-2017-2641 GHSA-xhq3-455r-xv44 |
SQL Injection An SQL injection can occur via user preferences. |
Affected by 23 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-duna-st9c-mqbk
Aliases: CVE-2018-1044 GHSA-332g-xh34-5c96 |
Information Exposure In Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-eaqp-7abt-6kg9
Aliases: CVE-2016-2159 GHSA-cw72-69wq-f9f2 |
Improper Access Control The `save_submission` function in `mod/assign/externallib.php` in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-eu27-a3px-87ed
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Improper Access Control Teachers in an assignment group could modify group overrides for other groups in the same assignment. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-fsex-f512-pudv
Aliases: CVE-2016-5013 GHSA-2hh3-jmv8-5fmx |
Injection Vulnerability In Moodle, text injection can occur in email headers, potentially leading to outbound spam. |
Affected by 30 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-jcq6-btgz-fkf6
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Cross-site Scripting It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k1bh-ymgt-e7cd
Aliases: CVE-2016-9187 GHSA-58fm-v4pr-jh8p |
Unrestricted Upload of File with Dangerous Type Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. |
Affected by 46 other vulnerabilities. |
|
VCID-k6pw-51st-b3d2
Aliases: CVE-2016-2153 GHSA-mj85-3hqq-r6r9 |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `advanced-search` feature in `mod_data` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL. |
Affected by 35 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-k73h-z6j8-gkgz
Aliases: CVE-2019-3810 GHSA-wm4w-8vc6-2j4h |
Information Exposure The `/userpix/` page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-kgvw-uxf4-wbc1
Aliases: CVE-2016-3734 GHSA-r867-v437-4rrm |
Cross-Site Request Forgery (CSRF) A Cross-site request forgery (CSRF) vulnerability in `markposts.php` in Moodle allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. |
Affected by 31 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-m3np-aebb-8qaa
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 13 other vulnerabilities. |
|
VCID-m4zv-e3dn-budf
Aliases: CVE-2018-1081 GHSA-v9xq-vh72-chr4 |
Improper Access Control Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
Affected by 19 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-mkfz-e1ft-2bcw
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Code Injection It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nntc-dsz1-e3fp
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Cross-site Scripting It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-qhv1-wgpm-7fh6
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-r6kn-b963-eqge
Aliases: CVE-2019-3850 GHSA-3fj7-9j8m-7r8g |
URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-s3ue-e5h8-f3dy
Aliases: CVE-2016-3729 GHSA-g96h-wvrm-c2ww |
Improper Access Control The user editing form in Moodle allows remote authenticated users to edit profile fields locked by the administrator. |
Affected by 31 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-s6uu-335k-yfbc
Aliases: CVE-2019-3847 GHSA-qrcj-6fjw-3h9h |
Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-vb67-yux5-ayhf
Aliases: CVE-2016-7038 GHSA-2phx-w35g-x9vm |
Weak Password Recovery Mechanism for Forgotten Password In Moodle, web service tokens are not invalidated when the user password is changed or forced to be changed. |
Affected by 30 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-vfp6-4h8n-bkax
Aliases: CVE-2018-14630 GHSA-c3pr-h96w-2jjg |
Code Injection Moodle is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy `drag and drop into text` (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. |
Affected by 19 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-vtq4-fpr8-hudb
Aliases: CVE-2017-7490 GHSA-9x63-m3cc-qf3g |
Exposure of Resource to Wrong Sphere In Moodle, searching of arbitrary blogs is possible because a capability check is missing. |
Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-w9ca-exua-g7ar
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Improper Access Control Teachers in a quiz group could modify group overrides for other groups in the same quiz. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-x7rg-rsb5-pya7
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Improper Access Control Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-xmm4-zw49-3feh
Aliases: CVE-2016-0724 GHSA-hjrj-7wcj-7j3c |
Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request. |
Affected by 38 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-y8up-cqtu-jkdw
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Cross-site Scripting Persistent XSS in `/course/modedit.php` of Moodle allows authenticated users (Teacher) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the `introeditor[text]` parameter. |
Affected by 14 other vulnerabilities. |
|
VCID-yghg-775s-vber
Aliases: CVE-2018-1042 GHSA-qqjv-mc2v-p7mc |
Server-Side Request Forgery (SSRF) Moodle has Server Side Request Forgery in the `filepicker`. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-zjrq-np3y-hua5
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zwkk-zazw-6fgg
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Improper Validation of Integrity Check Value It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-62yh-cpfr-9bb1 | Exposure of Sensitive Information to an Unauthorized Actor lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to obtain sensitive course-structure information by leveraging access to a student account with a suspended enrolment. |
CVE-2015-3180
GHSA-688p-pgj4-77hh |
| VCID-g4hn-yz26-1beb | Moodle allows attackers to bypass intended login restrictions login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account. |
CVE-2015-3179
GHSA-4ppg-2mx6-fqx9 |
| VCID-gvan-87dt-b7fp | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. |
CVE-2015-3174
GHSA-6r7x-6q98-qcqp |
| VCID-n9uc-b76m-8fbs | Moodle allows attackers to bypass file-management restrictions files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked. |
CVE-2015-3181
GHSA-622h-cjgg-5mx6 |
| VCID-s3bw-w61k-eqhy | Exposure of Sensitive Information to an Unauthorized Actor The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. |
CVE-2015-3176
GHSA-fqrg-vmvj-jv3x |
| VCID-uptz-tj66-7yfk | Moodle Arbitrary Redirect Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. |
CVE-2015-3175
GHSA-h798-h7ff-93xv |
| VCID-wavt-rrws-3yhs | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML into an external application via a crafted string that is visible to web services. |
CVE-2015-3178
GHSA-9fmw-m4qx-6cq8 |