Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/moodle/moodle@3.4.8
purl pkg:composer/moodle/moodle@3.4.8
Next non-vulnerable version 3.4.9
Latest non-vulnerable version 5.1.2
Risk
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-deur-8zdf-2kh2
Aliases:
CVE-2019-10134
Improper Input Validation The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
3.4.9
Affected by 0 other vulnerabilities.
3.5.6
Affected by 0 other vulnerabilities.
3.6.4
Affected by 0 other vulnerabilities.
VCID-qxsq-ku22-r7gx
Aliases:
CVE-2019-10133
URL Redirection to Untrusted Site (Open Redirect) The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
3.4.9
Affected by 0 other vulnerabilities.
3.5.6
Affected by 0 other vulnerabilities.
3.6.4
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-qhv1-wgpm-7fh6 Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. CVE-2019-3849
VCID-r6kn-b963-eqge URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. CVE-2019-3850
VCID-s6uu-335k-yfbc Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. CVE-2019-3847
VCID-zjrq-np3y-hua5 Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. CVE-2019-3848

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:39:23.733619+00:00 GitLab Importer Affected by VCID-deur-8zdf-2kh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-10134.yml 38.6.0
2026-06-02T04:39:23.375631+00:00 GitLab Importer Affected by VCID-qxsq-ku22-r7gx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-10133.yml 38.6.0
2026-06-02T04:39:03.058570+00:00 GitLab Importer Fixing VCID-s6uu-335k-yfbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3847.yml 38.6.0
2026-06-02T04:39:02.622910+00:00 GitLab Importer Fixing VCID-zjrq-np3y-hua5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3848.yml 38.6.0
2026-06-02T04:39:02.560290+00:00 GitLab Importer Fixing VCID-r6kn-b963-eqge https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3850.yml 38.6.0
2026-06-02T04:39:02.395747+00:00 GitLab Importer Fixing VCID-qhv1-wgpm-7fh6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3849.yml 38.6.0