Search for packages
| purl | pkg:composer/moodle/moodle@4.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vxe-caqu-kqab
Aliases: CVE-2023-28332 GHSA-9f45-9qrw-pp4v |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk. |
Affected by 0 other vulnerabilities. |
|
VCID-3898-265t-1yd5
Aliases: CVE-2023-5544 GHSA-j5xf-gv89-g422 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3pgc-yptg-tuaa
Aliases: CVE-2023-5545 GHSA-26fg-v32r-h663 |
Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability H5P metadata automatically populated the author with the user's username, which could be sensitive information. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4bfr-preb-afas
Aliases: CVE-2023-35131 GHSA-fwfj-8p36-rc64 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4k5r-agwn-ruea
Aliases: CVE-2023-35133 GHSA-xxp4-mf4h-6cwm |
Server-Side Request Forgery (SSRF) An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-57pd-ath8-1yf9
Aliases: CVE-2023-5539 GHSA-3xxm-3g3c-w579 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5gh4-58jt-dfet
Aliases: CVE-2023-1402 GHSA-vj5p-fp42-774p |
Moodle may display roles to users who don't have access to them The course participation report required additional checks to prevent roles being displayed which the user does not have access to view. |
Affected by 0 other vulnerabilities. |
|
VCID-5v9k-wk4u-uuf9
Aliases: CVE-2023-5547 GHSA-9gqp-3g28-w9xc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The course upload preview contained an XSS risk for users uploading unsafe data. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-91z3-7wza-c7gs
Aliases: CVE-2023-23921 GHSA-97qf-pq7x-964m |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. |
Affected by 0 other vulnerabilities. |
|
VCID-97gg-fuah-jqcq
Aliases: CVE-2023-28329 GHSA-72w2-j52c-7682 |
Moodle SQL Injection vulnerability Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). |
Affected by 0 other vulnerabilities. |
|
VCID-9rv1-hn65-dbhe
Aliases: CVE-2023-5540 GHSA-w8x2-w4qr-v3x4 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a195-b6wc-xkbv
Aliases: CVE-2023-28330 GHSA-56r9-72vx-q989 |
Moodle arbitrary file read vulnerability Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default. |
Affected by 0 other vulnerabilities. |
|
VCID-a8pk-18gr-mubw
Aliases: CVE-2023-5551 GHSA-jr83-8x65-xcr5 |
Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-affq-4sqk-p7ad
Aliases: CVE-2023-28331 GHSA-77jm-f3vj-xvx2 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk. |
Affected by 0 other vulnerabilities. |
|
VCID-aubk-tpgh-z7e2
Aliases: CVE-2023-5543 |
Improper Authorization When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bvne-5ym9-byaz
Aliases: CVE-2023-23922 GHSA-grmj-gpwm-98ww |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. |
Affected by 0 other vulnerabilities. |
|
VCID-cmz4-8t2n-27ef
Aliases: CVE-2023-30943 GHSA-22gj-8qj2-fj46 |
Moodle External Control of File Name or Path vulnerability The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cpxg-pzcj-73gn
Aliases: CVE-2023-5541 GHSA-28gc-4qq5-8q26 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fb4d-p8pw-yka4
Aliases: CVE-2023-5550 GHSA-5cvx-cwpx-9rjh |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gqwn-qskg-qbc7
Aliases: CVE-2023-5548 GHSA-cwh2-q44x-5w3c |
Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jc4y-cpn8-6kgs
Aliases: CVE-2023-35132 GHSA-49mv-vfcp-8gg9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nr96-4dtm-kbf9
Aliases: CVE-2023-28334 GHSA-hh52-g5c4-wprh |
Moodle may allow authenticated users to enumerate other user's names via learning plans page Authenticated users were able to enumerate other users' names via the learning plans page. |
Affected by 0 other vulnerabilities. |
|
VCID-p9vn-r312-1beg
Aliases: CVE-2023-5549 GHSA-fm5h-58g2-4m3f |
Moodle Improper Access Control vulnerability Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they does not have the capability to manage. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qmcu-uyur-r7bg
Aliases: CVE-2023-5546 GHSA-9724-h8p7-r3jv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rb6y-r3se-jya9
Aliases: CVE-2023-28333 GHSA-q2x3-2f9g-h559 |
Moodle's Mustache pix helper contained a potential Mustache injection risk if combined with user input The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This does not appear to be implemented/exploitable anywhere in the core Moodle LMS). |
Affected by 0 other vulnerabilities. |
|
VCID-s3wm-bype-73bh
Aliases: CVE-2023-30944 GHSA-7mmc-22g7-3xq2 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u1r6-67qc-37cg
Aliases: CVE-2023-28335 GHSA-wxmq-v9gx-75pg |
Cross-Site Request Forgery (CSRF) The link to reset all templates of a database activity does not include the necessary token to prevent a CSRF risk. |
Affected by 0 other vulnerabilities. |
|
VCID-v9pe-asg8-37hv
Aliases: CVE-2023-28336 GHSA-prjm-2fj2-787f |
Moodle may allow teachers to access the names of users they could not otherwise access Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access. |
Affected by 0 other vulnerabilities. |
|
VCID-zhhy-m421-nffk
Aliases: CVE-2023-23923 GHSA-32jc-9p58-p82x |
Improper Access Control The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||