Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/moodle/moodle@3.6.3
purl pkg:composer/moodle/moodle@3.6.3
Next non-vulnerable version 3.6.4
Latest non-vulnerable version 5.1.2
Risk
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-deur-8zdf-2kh2
Aliases:
CVE-2019-10134
Improper Input Validation The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
3.6.4
Affected by 0 other vulnerabilities.
VCID-qxsq-ku22-r7gx
Aliases:
CVE-2019-10133
URL Redirection to Untrusted Site (Open Redirect) The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
3.6.4
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-akv3-zfp8-kkc7 Permissions, Privileges, and Access Controls There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page. CVE-2019-3851
VCID-eaf7-c68j-audm Moodle context freezing A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities CVE-2019-3852
GHSA-v2rh-5v88-rgvh
VCID-qhv1-wgpm-7fh6 Improper Authorization Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site. CVE-2019-3849
VCID-r6kn-b963-eqge URL Redirection to Untrusted Site (Open Redirect) Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits. CVE-2019-3850
VCID-s6uu-335k-yfbc Improper Input Validation Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf. CVE-2019-3847
VCID-zjrq-np3y-hua5 Information Exposure Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. CVE-2019-3848

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:42:56.012780+00:00 GitLab Importer Fixing VCID-eaf7-c68j-audm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3852.yml 38.6.0
2026-06-02T04:39:23.749717+00:00 GitLab Importer Affected by VCID-deur-8zdf-2kh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-10134.yml 38.6.0
2026-06-02T04:39:23.391507+00:00 GitLab Importer Affected by VCID-qxsq-ku22-r7gx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-10133.yml 38.6.0
2026-06-02T04:39:03.066266+00:00 GitLab Importer Fixing VCID-s6uu-335k-yfbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3847.yml 38.6.0
2026-06-02T04:39:02.630513+00:00 GitLab Importer Fixing VCID-zjrq-np3y-hua5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3848.yml 38.6.0
2026-06-02T04:39:02.568116+00:00 GitLab Importer Fixing VCID-r6kn-b963-eqge https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3850.yml 38.6.0
2026-06-02T04:39:02.403925+00:00 GitLab Importer Fixing VCID-qhv1-wgpm-7fh6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3849.yml 38.6.0
2026-06-02T04:39:02.341092+00:00 GitLab Importer Fixing VCID-akv3-zfp8-kkc7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2019-3851.yml 38.6.0