Search for packages
| purl | pkg:composer/moodle/moodle@3.6.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3r3j-bqzm-5ufz
Aliases: CVE-2019-10154 GHSA-ww45-x87c-wgff |
Improper Access Control A web service fetching messages was not restricted to the current user's conversations. |
Affected by 6 other vulnerabilities. |
|
VCID-d2au-r7m3-cyc8
Aliases: CVE-2019-10189 GHSA-h7xp-7fjp-ghhc |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-eb8w-rqef-sqca
Aliases: CVE-2019-3849 GHSA-5wg9-5w3f-hxmh |
Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. |
Affected by 9 other vulnerabilities. |
|
VCID-k249-a5wk-2fcs
Aliases: CVE-2019-10186 GHSA-wv9c-pfpm-4wc5 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-kys8-9mu7-w7dn
Aliases: CVE-2019-18210 GHSA-q6vw-27c6-jv9c |
Affected by 2 other vulnerabilities. |
|
|
VCID-nbpz-vdd1-w3ae
Aliases: CVE-2019-3847 GHSA-qrcj-6fjw-3h9h |
Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. |
Affected by 9 other vulnerabilities. |
|
VCID-qfmd-5exc-c3f3
Aliases: CVE-2019-10134 GHSA-j8wr-7xxj-c2fr |
Improper Input Validation The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded. |
Affected by 6 other vulnerabilities. |
|
VCID-qnn9-5vhh-nkd8
Aliases: CVE-2019-3848 GHSA-45rw-4r25-jvg7 |
Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. |
Affected by 9 other vulnerabilities. |
|
VCID-s8ph-ghzm-q7c5
Aliases: CVE-2019-10187 GHSA-2mg9-hv69-897x |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-vabw-g3da-bqbz
Aliases: CVE-2019-3851 GHSA-pj45-hp8h-289r |
Permissions, Privileges, and Access Controls There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page. |
Affected by 9 other vulnerabilities. |
|
VCID-x2e5-m5rs-7qfr
Aliases: CVE-2019-10133 GHSA-5xp2-rv4h-mm2q |
URL Redirection to Untrusted Site (Open Redirect) The form to upload cohorts contained a redirect field, which was not restricted to internal URLs. |
Affected by 6 other vulnerabilities. |
|
VCID-x3gw-ztjq-ebbu
Aliases: CVE-2020-1692 GHSA-9328-7pcw-vw69 |
Affected by 1 other vulnerability. |
|
|
VCID-xktx-amv6-gbh2
Aliases: CVE-2019-3850 GHSA-3fj7-9j8m-7r8g |
URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. |
Affected by 9 other vulnerabilities. |
|
VCID-y219-hufv-tkds
Aliases: CVE-2019-10188 GHSA-92q5-2h76-vgmj |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2avg-qvn9-bkdn | Cross-site Scripting The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default. |
CVE-2019-3808
GHSA-4r2p-wpv5-683w |
| VCID-hurp-xp2w-wbcp | Information Exposure The `/userpix/` page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. |
CVE-2019-3810
GHSA-wm4w-8vc6-2j4h |