Search for packages
| purl | pkg:composer/moodle/moodle@3.0.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2dxb-v1af-jbax
Aliases: CVE-2017-7491 GHSA-3hmr-948v-5qgq |
Cross-Site Request Forgery (CSRF) A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-2s6b-tp6p-gue1
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Cross-Site Request Forgery (CSRF) A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-5rbf-4dz3-2qdz
Aliases: CVE-2017-7489 GHSA-m34m-fgh4-v7cx |
Improper Privilege Management Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-65y9-9ur2-pugc
Aliases: CVE-2017-2576 GHSA-cjrf-xg77-chpw |
Improper Input Validation There is incorrect sanitization of attributes in forums. |
Affected by 29 other vulnerabilities. Affected by 44 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-83kb-4mk9-t7ge
Aliases: CVE-2017-15110 GHSA-rjh8-w8jg-xwq5 |
Information Exposure Students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. |
Affected by 19 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-9nd7-4wve-97hc
Aliases: CVE-2017-12157 GHSA-gw95-48xq-gqf9 |
Information Exposure Various course reports allow teachers to view details about users in the groups they cannot access. |
Affected by 19 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-a6pb-47tu-afcg
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Information Exposure Moodle is vulnerable to information exposure of service tokens for users enrolled in the same course. |
Affected by 17 other vulnerabilities. |
|
VCID-ajkr-fxa1-mkhk
Aliases: CVE-2018-1045 GHSA-595j-wpfg-23w4 |
Cross-site Scripting Moodle is vulnerable to XSS via a calendar event name. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-bjnq-q2nd-1khp
Aliases: CVE-2018-16854 GHSA-xj5f-qv37-r9jc |
Cross-Site Request Forgery (CSRF) The login form is not protected by a token to prevent login cross-site request forgery. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-dhku-uah4-ykh8
Aliases: CVE-2017-2641 GHSA-xhq3-455r-xv44 |
SQL Injection An SQL injection can occur via user preferences. |
Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-duna-st9c-mqbk
Aliases: CVE-2018-1044 GHSA-332g-xh34-5c96 |
Information Exposure In Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-eu27-a3px-87ed
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Improper Access Control Teachers in an assignment group could modify group overrides for other groups in the same assignment. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-jcq6-btgz-fkf6
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Cross-site Scripting It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k1bh-ymgt-e7cd
Aliases: CVE-2016-9187 GHSA-58fm-v4pr-jh8p |
Unrestricted Upload of File with Dangerous Type Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. |
Affected by 46 other vulnerabilities. |
|
VCID-k73h-z6j8-gkgz
Aliases: CVE-2019-3810 GHSA-wm4w-8vc6-2j4h |
Information Exposure The `/userpix/` page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. |
Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 37 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-m3np-aebb-8qaa
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 13 other vulnerabilities. |
|
VCID-m4zv-e3dn-budf
Aliases: CVE-2018-1081 GHSA-v9xq-vh72-chr4 |
Improper Access Control Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
Affected by 19 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-mkfz-e1ft-2bcw
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Code Injection It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nntc-dsz1-e3fp
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Cross-site Scripting It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-qhv1-wgpm-7fh6
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-r6kn-b963-eqge
Aliases: CVE-2019-3850 GHSA-3fj7-9j8m-7r8g |
URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-s6uu-335k-yfbc
Aliases: CVE-2019-3847 GHSA-qrcj-6fjw-3h9h |
Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-v54t-5thx-1beu
Aliases: CVE-2016-8642 GHSA-x32v-7qw8-cpq8 |
Improper Access Control In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
Affected by 30 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-vfp6-4h8n-bkax
Aliases: CVE-2018-14630 GHSA-c3pr-h96w-2jjg |
Code Injection Moodle is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy `drag and drop into text` (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. |
Affected by 19 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-vtq4-fpr8-hudb
Aliases: CVE-2017-7490 GHSA-9x63-m3cc-qf3g |
Exposure of Resource to Wrong Sphere In Moodle, searching of arbitrary blogs is possible because a capability check is missing. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-w9ca-exua-g7ar
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Improper Access Control Teachers in a quiz group could modify group overrides for other groups in the same quiz. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-x7rg-rsb5-pya7
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Improper Access Control Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-y8up-cqtu-jkdw
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Cross-site Scripting Persistent XSS in `/course/modedit.php` of Moodle allows authenticated users (Teacher) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the `introeditor[text]` parameter. |
Affected by 14 other vulnerabilities. |
|
VCID-yghg-775s-vber
Aliases: CVE-2018-1042 GHSA-qqjv-mc2v-p7mc |
Server-Side Request Forgery (SSRF) Moodle has Server Side Request Forgery in the `filepicker`. |
Affected by 30 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-zgzm-wj81-jkah
Aliases: CVE-2017-12156 GHSA-7mfw-g8x4-rq2w |
Cross-site Scripting Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback. |
Affected by 19 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-zjrq-np3y-hua5
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zwkk-zazw-6fgg
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Improper Validation of Integrity Check Value It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-vb67-yux5-ayhf | Weak Password Recovery Mechanism for Forgotten Password In Moodle, web service tokens are not invalidated when the user password is changed or forced to be changed. |
CVE-2016-7038
GHSA-2phx-w35g-x9vm |