Search for packages
| purl | pkg:composer/moodle/moodle@3.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hht-sfqa-wkan
Aliases: CVE-2017-7491 GHSA-3hmr-948v-5qgq |
Cross-Site Request Forgery (CSRF) A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
Affected by 44 other vulnerabilities. |
|
VCID-2avg-qvn9-bkdn
Aliases: CVE-2019-3808 GHSA-4r2p-wpv5-683w |
Cross-site Scripting The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default. |
Affected by 33 other vulnerabilities. Affected by 52 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-2et6-3ejg-27b8
Aliases: CVE-2021-32473 GHSA-wx87-h539-4775 |
Exposure of Sensitive Information to an Unauthorized Actor It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-3gup-tvzm-z7dt
Aliases: CVE-2018-1045 GHSA-595j-wpfg-23w4 |
Cross-site Scripting Moodle is vulnerable to XSS via a calendar event name. |
Affected by 35 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-3r3j-bqzm-5ufz
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 26 other vulnerabilities. |
|
VCID-44x7-sn7m-4kga
Aliases: CVE-2017-2645 GHSA-9cg4-4f87-jhm3 |
Cross-site Scripting In Moodle, an XSS can occur via attachments to evidence of prior learning. |
Affected by 48 other vulnerabilities. |
|
VCID-4nnu-qu33-27gx
Aliases: CVE-2017-7489 GHSA-m34m-fgh4-v7cx |
Improper Privilege Management Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
Affected by 44 other vulnerabilities. |
|
VCID-4s7h-83dq-aua7
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Affected by 22 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-4t6w-wvj2-ffek
Aliases: CVE-2017-15110 GHSA-rjh8-w8jg-xwq5 |
Information Exposure Students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. |
Affected by 39 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-6x4n-my8x-sbfg
Aliases: CVE-2021-32476 GHSA-4qxc-qxrp-33cw |
Uncontrolled Resource Consumption A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-7gra-fj8d-byej
Aliases: CVE-2017-2642 GHSA-54r2-r67g-fr9m |
Information Exposure Moodle has a user fullname disclosure through the user preferences page. |
Affected by 42 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-937t-wbcy-qfbz
Aliases: CVE-2017-2644 GHSA-93gj-rg98-h7mm |
Cross-site Scripting An XSS can occur via evidence of prior learning. |
Affected by 48 other vulnerabilities. |
|
VCID-a7n4-f1nk-vqec
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Affected by 33 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-a8sa-7ed7-wbby
Aliases: CVE-2021-32475 GHSA-5wjh-v7c8-wrhx |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-ahbw-7fj3-eugs
Aliases: CVE-2017-2641 GHSA-xhq3-455r-xv44 |
SQL Injection An SQL injection can occur via user preferences. |
Affected by 48 other vulnerabilities. |
|
VCID-ajnx-w4at-7fgp
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-b3hr-pfv8-uqf6
Aliases: CVE-2017-12157 GHSA-gw95-48xq-gqf9 |
Information Exposure Various course reports allow teachers to view details about users in the groups they cannot access. |
Affected by 41 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-beap-cjmv-s7he
Aliases: CVE-2018-1043 GHSA-hpwm-84h5-vqr8 |
Insufficient Access Control The setting for blocked hosts list can be bypassed with multiple A record `hostnames`. |
Affected by 35 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-cf2z-a3h4-jkhf
Aliases: CVE-2022-0333 GHSA-m434-m5pv-p35w |
Incorrect Authorization The `calendar:manageentries` capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events. |
Affected by 6 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-d2au-r7m3-cyc8
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Affected by 40 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-d9xk-d7zc-rbeq
Aliases: CVE-2018-1136 GHSA-xhfw-wjjc-4j5h |
Cross-site Scripting An issue was discovered in Moodle. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users. |
Affected by 29 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-dhu5-3tda-2qfx
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-dxn4-ry85-43dp
Aliases: CVE-2018-1135 GHSA-vxmv-74rf-vqgp |
Information Exposure An issue was discovered in Moodle. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL. |
Affected by 29 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-e52k-bb2k-tbgh
Aliases: CVE-2021-43558 GHSA-wpfp-q843-v772 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A URL parameter in the filetype site administrator tool requires extra sanitizing to prevent a reflected XSS risk. |
Affected by 7 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-eb8w-rqef-sqca
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 29 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-ehpf-6ra7-syfy
Aliases: CVE-2018-14630 GHSA-c3pr-h96w-2jjg |
Code Injection Moodle is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy `drag and drop into text` (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. |
Affected by 30 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-eq8q-vrca-xbdb
Aliases: CVE-2021-40691 GHSA-92vh-mr2w-j2cr |
Affected by 21 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-ewcg-abf2-5uff
Aliases: CVE-2017-7532 GHSA-jjhx-5jff-rc8m |
Improper Privilege Management Course creators are able to change system default settings for courses. |
Affected by 42 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-exk5-1mmz-7kep
Aliases: CVE-2021-40693 GHSA-2jxg-mv2m-j4r7 |
Affected by 21 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-ez7x-sprg-effa
Aliases: CVE-2018-1133 GHSA-xh2j-q4mc-v522 |
Injection Vulnerability An issue was discovered in Moodle. A Teacher creating a Calculated question can intentionally cause remote code execution on the server. |
Affected by 29 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-fj1x-be1c-h3c4
Aliases: CVE-2022-0334 GHSA-93pj-4p65-qmr9 |
Exposure of Resource to Wrong Sphere Insufficient capability checks could lead to users accessing their grade report for courses where they does not have the required `gradereport/user:view` capability. |
Affected by 6 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-fvkk-381y-1kcb
Aliases: CVE-2021-43559 GHSA-3jrj-x6cj-97cp |
Cross-Site Request Forgery (CSRF) The `delete related badge` functionality does not include the necessary token check to prevent a CSRF risk. |
Affected by 7 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-fx3x-sc7h-guhb
Aliases: CVE-2020-14321 GHSA-9q29-jcjw-fw7h |
Affected by 32 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
|
VCID-gt8k-6dg8-qqa8
Aliases: CVE-2018-1137 GHSA-vxqh-mx28-7ghw |
Improper Input Validation An issue was discovered in Moodle. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. |
Affected by 29 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-j7ab-5rkp-yyeh
Aliases: CVE-2018-1042 GHSA-qqjv-mc2v-p7mc |
Server-Side Request Forgery (SSRF) Moodle has Server Side Request Forgery in the `filepicker`. |
Affected by 35 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-jrf4-ua1a-cfcr
Aliases: CVE-2018-1081 GHSA-v9xq-vh72-chr4 |
Improper Access Control Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
Affected by 34 other vulnerabilities. Affected by 40 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-k249-a5wk-2fcs
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Affected by 40 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-k72d-w9wa-m7b5
Aliases: CVE-2018-1134 GHSA-xjx9-7c29-pwmm |
Improper Privilege Management An issue was discovered in Moodle. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL. |
Affected by 29 other vulnerabilities. Affected by 35 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-kys8-9mu7-w7dn
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Affected by 27 other vulnerabilities. |
|
|
VCID-mkuq-tdbg-t3ce
Aliases: CVE-2022-0335 GHSA-xpfv-89vg-r562 |
Cross-Site Request Forgery (CSRF) The `delete badge alignment` functionality does not include the necessary token check to prevent a CSRF risk. |
Affected by 6 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-mzy3-yscv-9kc4
Aliases: CVE-2017-2578 GHSA-6r76-f8c8-fh7p |
Cross-site Scripting There is XSS in the assignment submission page. |
Affected by 51 other vulnerabilities. |
|
VCID-nbpz-vdd1-w3ae
Aliases: CVE-2019-3847 GHSA-qrcj-6fjw-3h9h |
Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. |
Affected by 29 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-qf7h-3hbp-5bbb
Aliases: CVE-2017-2643 GHSA-98mf-mqw9-9q8q |
Information Exposure In Moodle global search displays user names for unauthenticated users. |
Affected by 48 other vulnerabilities. |
|
VCID-qnn9-5vhh-nkd8
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 29 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-s8ph-ghzm-q7c5
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Affected by 40 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-svds-tck8-rqce
Aliases: CVE-2021-32478 GHSA-78fm-qhh8-8858 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. |
Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-u843-6ku8-6bh7
Aliases: CVE-2018-10891 GHSA-p7v9-gjrh-563x |
Injection Vulnerability When a quiz question bank is imported, it is possible for the question preview that is displayed to execute JavaScript that is written into the question bank. |
Affected by 0 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 38 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-vgwe-53vc-m7gn
Aliases: CVE-2021-40694 GHSA-m37g-mwcg-7j7v |
Affected by 21 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
|
VCID-wc31-v1d5-jydh
Aliases: CVE-2021-43560 GHSA-g39c-mccf-rxjv |
Exposure of Resource to Wrong Sphere Insufficient capability checks made it possible to fetch other users' calendar action events. |
Affected by 7 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-x3gw-ztjq-ebbu
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Affected by 31 other vulnerabilities. |
|
|
VCID-xatq-q64s-gugm
Aliases: CVE-2017-12156 GHSA-7mfw-g8x4-rq2w |
Cross-site Scripting Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback. |
Affected by 41 other vulnerabilities. Affected by 39 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-xktx-amv6-gbh2
Aliases: CVE-2019-3850 GHSA-3fj7-9j8m-7r8g |
URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. |
Affected by 29 other vulnerabilities. Affected by 47 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-y219-hufv-tkds
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Affected by 40 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
|
VCID-y8j3-pw73-c3he
Aliases: CVE-2018-1044 GHSA-332g-xh34-5c96 |
Information Exposure In Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings. |
Affected by 35 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-ypxn-wgkc-nfcm
Aliases: CVE-2017-7490 GHSA-9x63-m3cc-qf3g |
Exposure of Resource to Wrong Sphere In Moodle, searching of arbitrary blogs is possible because a capability check is missing. |
Affected by 44 other vulnerabilities. |
|
VCID-yyb2-961k-qyet
Aliases: CVE-2022-0985 GHSA-6q9g-3vfq-q2qj |
Improper Authentication Insufficient capability checks could allow users with the `moodle/site:uploadusers` capability to delete users, without having the necessary `moodle/user:delete` capability. |
Affected by 11 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-zn3y-sq7h-83h9
Aliases: CVE-2021-32474 GHSA-rvmc-8gmg-ggqr |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 11 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-zyg8-e1k7-jqd2
Aliases: CVE-2017-2576 GHSA-cjrf-xg77-chpw |
Improper Input Validation There is incorrect sanitization of attributes in forums. |
Affected by 51 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||