Search for packages
| purl | pkg:composer/moodle/moodle@3.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2dxb-v1af-jbax
Aliases: CVE-2017-7491 |
Cross-Site Request Forgery (CSRF) A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-37pj-u3gh-n7fd
Aliases: CVE-2016-2190 |
Insertion of Sensitive Information into Log File Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
Affected by 4 other vulnerabilities. |
|
VCID-3kq3-v2u1-fyhz
Aliases: CVE-2016-0725 |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `search_pagination` function in `course/classes/management_renderer.php` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted search string. |
Affected by 4 other vulnerabilities. |
|
VCID-4kq5-ctsv-eka8
Aliases: CVE-2016-3733 |
Improper Access Control The "restore teacher" feature in Moodle allows remote authenticated users to overwrite the course id number. |
Affected by 2 other vulnerabilities. |
|
VCID-5hx1-9xbg-g3fn
Aliases: CVE-2016-2156 GHSA-h8vc-v44p-5r2q |
Exposure of Sensitive Information to an Unauthorized Actor calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request. |
Affected by 4 other vulnerabilities. |
|
VCID-5rbf-4dz3-2qdz
Aliases: CVE-2017-7489 |
Improper Privilege Management Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-65y9-9ur2-pugc
Aliases: CVE-2017-2576 |
Improper Input Validation There is incorrect sanitization of attributes in forums. |
Affected by 4 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-7rut-8dau-e3cp
Aliases: CVE-2016-2155 GHSA-32hg-73hp-vwc8 |
Moodle allows attackers to modify "Exclude grade" settings The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role. |
Affected by 4 other vulnerabilities. |
|
VCID-8cc1-hbzm-87bx
Aliases: CVE-2016-3732 GHSA-5282-96ff-xx3h |
Exposure of Sensitive Information to an Unauthorized Actor The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | There are no reported fixed by versions. |
|
VCID-9nd7-4wve-97hc
Aliases: CVE-2017-12157 |
Information Exposure Various course reports allow teachers to view details about users in the groups they cannot access. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-an53-nu91-k3d7
Aliases: CVE-2016-2152 |
Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in `auth/db/auth.php` in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. |
Affected by 4 other vulnerabilities. |
|
VCID-dhku-uah4-ykh8
Aliases: CVE-2017-2641 |
SQL Injection An SQL injection can occur via user preferences. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-dnya-ef8u-6bg1
Aliases: CVE-2016-2154 GHSA-fmq9-58q4-xjw5 |
Exposure of Sensitive Information to an Unauthorized Actor admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule. |
Affected by 4 other vulnerabilities. |
|
VCID-eaqp-7abt-6kg9
Aliases: CVE-2016-2159 |
Improper Access Control The `save_submission` function in `mod/assign/externallib.php` in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. |
Affected by 4 other vulnerabilities. |
|
VCID-fsex-f512-pudv
Aliases: CVE-2016-5013 |
Injection Vulnerability In Moodle, text injection can occur in email headers, potentially leading to outbound spam. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-k6pw-51st-b3d2
Aliases: CVE-2016-2153 |
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the `advanced-search` feature in `mod_data` in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL. |
Affected by 4 other vulnerabilities. |
|
VCID-kgvw-uxf4-wbc1
Aliases: CVE-2016-3734 |
Cross-Site Request Forgery (CSRF) A Cross-site request forgery (CSRF) vulnerability in `markposts.php` in Moodle allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. |
Affected by 2 other vulnerabilities. |
|
VCID-qtt4-455b-abb6
Aliases: CVE-2016-5014 GHSA-c4cq-v4wp-28hg |
Exposure of Sensitive Information to an Unauthorized Actor In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-ryws-mr9v-7yfp
Aliases: CVE-2016-2158 GHSA-m882-j7gq-v9p7 |
Exposure of Sensitive Information to an Unauthorized Actor lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request. |
Affected by 4 other vulnerabilities. |
|
VCID-s3ue-e5h8-f3dy
Aliases: CVE-2016-3729 |
Improper Access Control The user editing form in Moodle allows remote authenticated users to edit profile fields locked by the administrator. |
Affected by 2 other vulnerabilities. |
|
VCID-sa6m-ecv7-x3ew
Aliases: CVE-2016-2157 GHSA-f5pm-c4cw-563p |
Cross-Site Request Forgery (CSRF) Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins. |
Affected by 4 other vulnerabilities. |
|
VCID-ujja-hfkh-wkez
Aliases: CVE-2016-2151 GHSA-r3fc-hx6q-g6cq |
Exposure of Sensitive Information to an Unauthorized Actor user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list. |
Affected by 4 other vulnerabilities. |
|
VCID-v54t-5thx-1beu
Aliases: CVE-2016-8642 GHSA-x32v-7qw8-cpq8 |
Improper Access Control In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-vb67-yux5-ayhf
Aliases: CVE-2016-7038 |
Weak Password Recovery Mechanism for Forgotten Password In Moodle, web service tokens are not invalidated when the user password is changed or forced to be changed. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-vtq4-fpr8-hudb
Aliases: CVE-2017-7490 |
Exposure of Resource to Wrong Sphere In Moodle, searching of arbitrary blogs is possible because a capability check is missing. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-xmm4-zw49-3feh
Aliases: CVE-2016-0724 |
Information Exposure The (1) `core_enrol_get_course_enrolment_methods` and (2) `enrol_self_get_instance_info` web services in Moodle do not consider the `moodle/course:viewhiddencourses` capability, which allows remote authenticated users to obtain sensitive information via a web-service request. |
Affected by 4 other vulnerabilities. |
|
VCID-zgzm-wj81-jkah
Aliases: CVE-2017-12156 |
Cross-site Scripting Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||