Search for packages
| purl | pkg:composer/moodle/moodle@3.2.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2s6b-tp6p-gue1
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Cross-Site Request Forgery (CSRF) A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-a6pb-47tu-afcg
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Information Exposure Moodle is vulnerable to information exposure of service tokens for users enrolled in the same course. |
Affected by 17 other vulnerabilities. |
|
VCID-b7br-bh2d-rygp
Aliases: CVE-2018-1137 GHSA-vxqh-mx28-7ghw |
Improper Input Validation An issue was discovered in Moodle. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. |
Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-ckg1-9vpt-yfdk
Aliases: CVE-2018-1134 GHSA-xjx9-7c29-pwmm |
Improper Privilege Management An issue was discovered in Moodle. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL. |
Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-eu27-a3px-87ed
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Improper Access Control Teachers in an assignment group could modify group overrides for other groups in the same assignment. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-fegs-ubsk-63hu
Aliases: CVE-2018-1135 GHSA-vxmv-74rf-vqgp |
Information Exposure An issue was discovered in Moodle. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL. |
Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-g8ct-c4ce-zuaf
Aliases: CVE-2018-1136 GHSA-xhfw-wjjc-4j5h |
Cross-site Scripting An issue was discovered in Moodle. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users. |
Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-jcq6-btgz-fkf6
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Cross-site Scripting It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m3np-aebb-8qaa
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 13 other vulnerabilities. |
|
VCID-m4zv-e3dn-budf
Aliases: CVE-2018-1081 GHSA-v9xq-vh72-chr4 |
Improper Access Control Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. |
Affected by 18 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-mkfz-e1ft-2bcw
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Code Injection It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nntc-dsz1-e3fp
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Cross-site Scripting It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-p2gd-7uam-mqf8
Aliases: CVE-2018-1133 GHSA-xh2j-q4mc-v522 |
Injection Vulnerability An issue was discovered in Moodle. A Teacher creating a Calculated question can intentionally cause remote code execution on the server. |
Affected by 13 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-qhv1-wgpm-7fh6
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-w9ca-exua-g7ar
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Improper Access Control Teachers in a quiz group could modify group overrides for other groups in the same quiz. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-x7rg-rsb5-pya7
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Improper Access Control Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. |
Affected by 23 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-y8up-cqtu-jkdw
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Cross-site Scripting Persistent XSS in `/course/modedit.php` of Moodle allows authenticated users (Teacher) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the `introeditor[text]` parameter. |
Affected by 14 other vulnerabilities. |
|
VCID-zjrq-np3y-hua5
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 13 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zwkk-zazw-6fgg
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Improper Validation of Integrity Check Value It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-ajkr-fxa1-mkhk | Cross-site Scripting Moodle is vulnerable to XSS via a calendar event name. |
CVE-2018-1045
GHSA-595j-wpfg-23w4 |
| VCID-duna-st9c-mqbk | Information Exposure In Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings. |
CVE-2018-1044
GHSA-332g-xh34-5c96 |
| VCID-nc2j-pay7-ryab | Insufficient Access Control The setting for blocked hosts list can be bypassed with multiple A record `hostnames`. |
CVE-2018-1043
GHSA-hpwm-84h5-vqr8 |
| VCID-yghg-775s-vber | Server-Side Request Forgery (SSRF) Moodle has Server Side Request Forgery in the `filepicker`. |
CVE-2018-1042
GHSA-qqjv-mc2v-p7mc |