Search for packages
| purl | pkg:composer/moodle/moodle@3.8.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2cdg-m3pq-ufe5
Aliases: CVE-2021-32476 GHSA-4qxc-qxrp-33cw |
Uncontrolled Resource Consumption A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2jta-hqah-d7cf
Aliases: CVE-2021-32472 GHSA-454r-jccq-96q8 |
Exposure of Sensitive Information to an Unauthorized Actor Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 are affected. |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3cb4-wz6x-ckcd
Aliases: CVE-2020-25699 GHSA-h77r-rp97-7rv4 |
Improper Privilege Management In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-3uvf-6ztd-xkaf
Aliases: CVE-2020-25703 GHSA-c7v4-m269-4995 |
Information Exposure The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-42fa-qbft-rfff
Aliases: CVE-2020-25698 GHSA-vxhx-gmhm-623c |
Improper Access Control Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-56wj-4124-ryd2
Aliases: CVE-2020-25629 GHSA-f5r8-7h4f-jr9x |
Improper Access Control A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. |
Affected by 15 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-6m19-4krm-2udd
Aliases: CVE-2020-25630 GHSA-66xp-28cq-mrf2 |
Uncontrolled Resource Consumption A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. |
Affected by 15 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-bbj9-hpz3-xqhh
Aliases: CVE-2021-20279 GHSA-h7h6-fwpv-ggvx |
Cross-site Scripting The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bju3-sj3y-83e3
Aliases: CVE-2021-32473 GHSA-wx87-h539-4775 |
Exposure of Sensitive Information to an Unauthorized Actor It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c14d-1sa2-rkf6
Aliases: CVE-2020-25631 GHSA-4w4j-9533-82qg |
Cross-site Scripting An XSS vulnerability was found in Moodle |
Affected by 15 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-c1a1-z5m1-nfbc
Aliases: CVE-2020-25701 GHSA-c9hq-g4q8-w893 |
Incorrect Authorization If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-cs5n-4bst-zfcj
Aliases: CVE-2021-32474 GHSA-rvmc-8gmg-ggqr |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dpd2-1sqc-qqfy
Aliases: CVE-2021-20281 GHSA-93wh-35r4-6qmw |
Information Exposure It was possible for some users without permission to view other users' full names to do so via the online users block in moodle |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-efq2-s2df-pqa1
Aliases: CVE-2021-32475 GHSA-5wjh-v7c8-wrhx |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fskk-cb95-uqer
Aliases: CVE-2020-25628 GHSA-5x33-h32w-6vr2 |
Cross-site Scripting The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. |
Affected by 15 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-gnez-ehgq-rfbr
Aliases: CVE-2021-20282 GHSA-grj4-g57c-9xmv |
Incorrect Authorization When creating a user account, it was possible to verify the account without having access to the verification email `link/secret` in moodle |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jcq6-btgz-fkf6
Aliases: CVE-2021-20183 GHSA-xhfx-rm8q-c3xv |
Cross-site Scripting It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jcsq-3q5z-4kc6
Aliases: CVE-2020-25700 GHSA-7h8v-2v8x-h264 |
SQL Injection In moodle, some database module web services allowed students to add entries within groups they did not belong to. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-jg1j-e9kb-vfeb
Aliases: CVE-2020-1691 GHSA-cwhp-rqfr-8462 |
Moodle XSS Vulnerability In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting. |
Affected by 20 other vulnerabilities. |
|
VCID-mhm4-8kuk-t7b6
Aliases: CVE-2021-20185 GHSA-c3j6-33r4-89q3 |
Uncontrolled Resource Consumption It was found in Moodle that messaging does not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-mkfz-e1ft-2bcw
Aliases: CVE-2021-20187 GHSA-2jrm-gww7-wch2 |
Code Injection It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-mqde-66zm-qbbj
Aliases: CVE-2021-20283 GHSA-2m72-m5cw-3g9h |
Incorrect Authorization The web service responsible for fetching other users' enrolled courses does not validate that the requesting user had permission to view that information in each course in moodle |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nntc-dsz1-e3fp
Aliases: CVE-2021-20186 GHSA-h8m4-h385-qhqv |
Cross-site Scripting It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-paj4-nq1r-jbd3
Aliases: CVE-2020-10738 GHSA-vr6v-g96p-cjc3 |
Improper Input Validation It is possible to create an SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution. |
Affected by 19 other vulnerabilities. |
|
VCID-pgfa-bkaw-q7cq
Aliases: CVE-2021-20280 GHSA-x2jp-hh65-4xvf |
Cross-site Scripting Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zwkk-zazw-6fgg
Aliases: CVE-2021-20184 GHSA-mm73-86f9-5x5c |
Improper Validation of Integrity Check Value It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||