VulnerableCode Package Details - pkg:composer/moodle/moodle@2.9.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-3kq3-v2u1-fyhz Aliases: CVE-2016-0725	Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `search_pagination` function in `course/classes/management_renderer.php` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted search string.	2.9.4 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.0.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xmm4-zw49-3feh Aliases: CVE-2016-0724	Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request.	2.9.4 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.0.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3kq3-v2u1-fyhz
Aliases:
CVE-2016-0725

Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `search_pagination` function in `course/classes/management_renderer.php` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted search string.

2.9.4
Affected by 4 other vulnerabilities.

3.0.2
Affected by 4 other vulnerabilities.

VCID-xmm4-zw49-3feh
Aliases:
CVE-2016-0724

Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request.

2.9.4
Affected by 4 other vulnerabilities.

3.0.2
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-421n-34cp-cka8	Moodle improper access control Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.	CVE-2015-5331 GHSA-m7cc-6vhg-39wr
VCID-4cx7-eaax-8uhr	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.	CVE-2015-5337 GHSA-2hw6-6rgf-726v
VCID-a34q-gbqw-1bbr	Moodle allows attackers to bypass intended access restrictions The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.	CVE-2015-5342 GHSA-6xpm-q8x9-j3rw
VCID-b9ej-hx7z-1bb8	Moodle sensitive information disclosure Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) `badges/overview.php` or (2) `badges/view.php`.	CVE-2015-5340 GHSA-mmvj-j7hq-rx85
VCID-jcnw-cwmz-w7cz	Exposure of Sensitive Information to an Unauthorized Actor The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.	CVE-2015-5339 GHSA-gmhr-6f43-7qpj
VCID-m6zk-p84r-vbh5	Exposure of Sensitive Information to an Unauthorized Actor mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.	CVE-2015-5341 GHSA-c2r4-f8qv-2v7v
VCID-t214-wxz7-a3df	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.	CVE-2015-5336 GHSA-grvw-qq2j-r898
VCID-trvp-xzf5-pff8	Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.	CVE-2015-5338 GHSA-v33x-q8gh-4x42
VCID-x2qp-yggf-z7h7	Exposure of Sensitive Information to an Unauthorized Actor Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.	CVE-2015-5335 GHSA-hpmv-wvq3-gj27

Vulnerability

Summary

Aliases

VCID-421n-34cp-cka8

Moodle improper access control Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.

CVE-2015-5331
GHSA-m7cc-6vhg-39wr

VCID-4cx7-eaax-8uhr

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.

CVE-2015-5337
GHSA-2hw6-6rgf-726v

VCID-a34q-gbqw-1bbr

Moodle allows attackers to bypass intended access restrictions The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.

CVE-2015-5342
GHSA-6xpm-q8x9-j3rw

VCID-b9ej-hx7z-1bb8

Moodle sensitive information disclosure Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) `badges/overview.php` or (2) `badges/view.php`.

CVE-2015-5340
GHSA-mmvj-j7hq-rx85

VCID-jcnw-cwmz-w7cz

Exposure of Sensitive Information to an Unauthorized Actor The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.

CVE-2015-5339
GHSA-gmhr-6f43-7qpj

VCID-m6zk-p84r-vbh5

Exposure of Sensitive Information to an Unauthorized Actor mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.

CVE-2015-5341
GHSA-c2r4-f8qv-2v7v

VCID-t214-wxz7-a3df

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.

CVE-2015-5336
GHSA-grvw-qq2j-r898

VCID-trvp-xzf5-pff8

Cross-Site Request Forgery (CSRF) Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.

CVE-2015-5338
GHSA-v33x-q8gh-4x42

VCID-x2qp-yggf-z7h7

Exposure of Sensitive Information to an Unauthorized Actor Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.

CVE-2015-5335
GHSA-hpmv-wvq3-gj27

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:43:03.826306+00:00	GitLab Importer	Fixing	VCID-trvp-xzf5-pff8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5338.yml	38.6.0
2026-06-02T04:42:57.685792+00:00	GitLab Importer	Fixing	VCID-jcnw-cwmz-w7cz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5339.yml	38.6.0
2026-06-02T04:42:55.755817+00:00	GitLab Importer	Fixing	VCID-x2qp-yggf-z7h7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5335.yml	38.6.0
2026-06-02T04:42:55.682775+00:00	GitLab Importer	Fixing	VCID-b9ej-hx7z-1bb8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5340.yml	38.6.0
2026-06-02T04:42:53.689189+00:00	GitLab Importer	Fixing	VCID-421n-34cp-cka8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5331.yml	38.6.0
2026-06-02T04:42:50.599410+00:00	GitLab Importer	Fixing	VCID-a34q-gbqw-1bbr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5342.yml	38.6.0
2026-06-02T04:42:35.976102+00:00	GitLab Importer	Fixing	VCID-t214-wxz7-a3df	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5336.yml	38.6.0
2026-06-02T04:42:35.026300+00:00	GitLab Importer	Fixing	VCID-m6zk-p84r-vbh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5341.yml	38.6.0
2026-06-02T04:42:33.197028+00:00	GitLab Importer	Fixing	VCID-4cx7-eaax-8uhr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2015-5337.yml	38.6.0
2026-06-02T04:36:30.466401+00:00	GitLab Importer	Affected by	VCID-xmm4-zw49-3feh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2016-0724.yml	38.6.0
2026-06-02T04:36:30.357317+00:00	GitLab Importer	Affected by	VCID-3kq3-v2u1-fyhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2016-0725.yml	38.6.0