Search for packages
| purl | pkg:composer/moodle/moodle@4.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1vuz-a4xt-5qd4
Aliases: CVE-2024-43440 GHSA-qrqv-26gf-xgwh |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-2exa-nxym-tkbh
Aliases: CVE-2024-43427 GHSA-vpq5-56jj-vf2m |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-2h6c-6mgm-akc2
Aliases: CVE-2025-62399 GHSA-m58f-9pvv-8mp2 |
Moodle vulnerable to brute-force password guesses Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-2k9q-b84j-ryef
Aliases: CVE-2024-28593 GHSA-f6mh-79vh-2hv7 |
Cross-site Scripting in Moodle Chat The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle." | There are no reported fixed by versions. |
|
VCID-3898-265t-1yd5
Aliases: CVE-2023-5544 GHSA-j5xf-gv89-g422 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-39yn-ju6v-c7bd
Aliases: CVE-2024-34004 GHSA-q3cm-ccrm-2mr6 |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-3pgc-yptg-tuaa
Aliases: CVE-2023-5545 GHSA-26fg-v32r-h663 |
Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability H5P metadata automatically populated the author with the user's username, which could be sensitive information. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-4bfr-preb-afas
Aliases: CVE-2023-35131 GHSA-fwfj-8p36-rc64 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. |
Affected by 63 other vulnerabilities. |
|
VCID-4k5r-agwn-ruea
Aliases: CVE-2023-35133 GHSA-xxp4-mf4h-6cwm |
Server-Side Request Forgery (SSRF) An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. |
Affected by 63 other vulnerabilities. |
|
VCID-57pd-ath8-1yf9
Aliases: CVE-2023-5539 GHSA-3xxm-3g3c-w579 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-595g-p5gs-8fdf
Aliases: CVE-2024-43439 GHSA-hjgc-jxjc-8v9j |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-5dx5-3bx2-s3fs
Aliases: CVE-2024-1439 GHSA-5p2x-8427-9fgp |
Improper Access Control Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent. |
Affected by 63 other vulnerabilities. |
|
VCID-5v9k-wk4u-uuf9
Aliases: CVE-2023-5547 GHSA-9gqp-3g28-w9xc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The course upload preview contained an XSS risk for users uploading unsafe data. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-64vn-tcmj-fqac
Aliases: CVE-2024-34003 GHSA-jg4f-8w9x-jv35 |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-7f2q-hz7t-tkdx
Aliases: CVE-2024-45690 GHSA-fhg2-r2h9-h7q8 |
Affected by 10 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
|
VCID-7r7p-pcsy-ubbj
Aliases: CVE-2024-38276 GHSA-356g-7x36-7m34 |
Affected by 27 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
|
VCID-7spz-muj8-bbd3
Aliases: CVE-2024-48896 GHSA-cq5f-wv7p-5gfc |
Affected by 6 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
|
VCID-7xms-9t2c-vbbv
Aliases: CVE-2024-38277 GHSA-r82w-3phg-qvr4 |
Affected by 27 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
|
VCID-9cbt-2fg9-pyd7
Aliases: CVE-2024-25978 GHSA-487g-3m3v-hjhq |
Uncontrolled Resource Consumption Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality. |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-9q9d-tprk-a7en
Aliases: CVE-2024-33997 GHSA-9qgq-93c7-9hm4 |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-9rv1-hn65-dbhe
Aliases: CVE-2023-5540 GHSA-w8x2-w4qr-v3x4 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-a6w6-penj-kuds
Aliases: CVE-2025-62401 GHSA-w29j-8phw-ffjf |
Moodle has a time restriction bypass An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-a8pk-18gr-mubw
Aliases: CVE-2023-5551 GHSA-jr83-8x65-xcr5 |
Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-au2d-mwnn-rkau
Aliases: CVE-2024-43436 GHSA-mx26-62xm-2p83 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-aubk-tpgh-z7e2
Aliases: CVE-2023-5543 |
Improper Authorization When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. |
Affected by 51 other vulnerabilities. |
|
VCID-bake-gya4-m7ex
Aliases: CVE-2023-5542 GHSA-8mm2-m2gp-c6x2 |
Moodle Improper Access Control vulnerability Students in "Only see own membership" groups could see other students in the group, which should be hidden. |
Affected by 47 other vulnerabilities. |
|
VCID-cf3k-pt7y-d3c9
Aliases: CVE-2024-38275 GHSA-p2cj-86v4-7782 |
Affected by 27 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
|
VCID-cpxg-pzcj-73gn
Aliases: CVE-2023-5541 GHSA-28gc-4qq5-8q26 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-d19b-f2vj-fqg7
Aliases: CVE-2024-43438 GHSA-p9cx-f595-h79h |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-dpna-q7gw-b7eb
Aliases: CVE-2024-34006 GHSA-vvh5-7v3m-j3mj |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-e39g-pwrd-vufr
Aliases: CVE-2024-48898 GHSA-fjq9-452g-jg3q |
Affected by 6 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
|
VCID-ewvq-xtfp-kbed
Aliases: CVE-2024-48897 GHSA-x3x9-349x-2485 |
Affected by 6 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
|
VCID-fb4d-p8pw-yka4
Aliases: CVE-2023-5550 GHSA-5cvx-cwpx-9rjh |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-fcf4-tf5h-hfcr
Aliases: CVE-2025-62400 GHSA-422v-w6c5-vq42 |
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-gqwn-qskg-qbc7
Aliases: CVE-2023-5548 GHSA-cwh2-q44x-5w3c |
Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-hjzy-jk88-9ycw
Aliases: CVE-2024-43437 GHSA-4hjf-6pxr-549h |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-jc4y-cpn8-6kgs
Aliases: CVE-2023-35132 GHSA-49mv-vfcp-8gg9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. |
Affected by 63 other vulnerabilities. |
|
VCID-jcxv-jtyh-f7e9
Aliases: CVE-2026-26047 GHSA-cg8j-5cr2-568q |
Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits A Denial of Service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k51w-zrpe-9kb7
Aliases: CVE-2024-33996 GHSA-4qww-rxq6-x7gf |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-kbg8-7sgp-pqdt
Aliases: CVE-2024-43432 GHSA-7wmp-2xmx-g6h8 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-me85-hcys-6fdq
Aliases: CVE-2024-43434 GHSA-x87r-37q5-mmr8 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-mj91-b11k-k3b7
Aliases: CVE-2024-34005 GHSA-r99q-hmqv-xw8w |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-mjpw-fdtz-hqd5
Aliases: CVE-2024-43435 GHSA-4gq2-x5w4-7hp8 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-mqj9-khvp-2yca
Aliases: CVE-2024-38273 GHSA-x29x-qwvx-fxr2 |
Affected by 27 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
|
VCID-nfjk-e6e8-p3e9
Aliases: CVE-2024-43425 GHSA-v6f4-v8h8-3c87 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-p9vn-r312-1beg
Aliases: CVE-2023-5549 GHSA-fm5h-58g2-4m3f |
Moodle Improper Access Control vulnerability Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they does not have the capability to manage. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-q3nn-y9nh-u7a3
Aliases: CVE-2024-34002 GHSA-mm9p-xwfm-3fqf |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-qhed-xzv8-rkhn
Aliases: CVE-2024-34001 GHSA-gq9f-8rj4-w7jc |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-qjmt-cfak-nqax
Aliases: CVE-2024-43428 GHSA-2r9m-wg35-rfvc |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-qmcu-uyur-r7bg
Aliases: CVE-2023-5546 GHSA-9724-h8p7-r3jv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. |
Affected by 51 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-qpm9-vvpu-b7dd
Aliases: CVE-2024-25979 GHSA-6vjf-48fh-vxxj |
Improper Handling of Parameters in moodle The URL parameters accepted by forum search were not limited to the allowed parameters. |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-r1p6-a3wq-ykgp
Aliases: CVE-2024-34008 GHSA-68x5-4jg5-gjgg |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-r6s9-x771-yka8
Aliases: CVE-2024-25980 GHSA-cp8m-h777-g4p3 |
Improper Access Control in moodle Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers. |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-r9jc-krzs-xqaa
Aliases: CVE-2024-45691 GHSA-xfv7-h2qg-rjm7 |
Affected by 10 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
|
VCID-rh68-hatq-rqbr
Aliases: CVE-2024-38274 GHSA-p5cg-6rfr-6mx8 |
Affected by 27 other vulnerabilities. Affected by 51 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
|
VCID-sjws-ab9q-3kbn
Aliases: CVE-2024-43426 GHSA-vjmm-r9gg-425m |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-svah-tdua-gfe6
Aliases: CVE-2024-34000 GHSA-8qwh-4vwv-7c5m |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-thj1-tjk1-vffu
Aliases: CVE-2024-25983 GHSA-9r26-5w88-qhp9 |
Authorization Bypass in moodle Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page). |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-vvn1-xus3-qbg2
Aliases: CVE-2024-25981 GHSA-jfrg-9hpq-9hvp |
Improper Access Control in moodle Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers. |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-wv4g-k5kj-zybd
Aliases: CVE-2024-43429 GHSA-c767-4whh-v7rw |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
|
VCID-wwu5-av43-1bej
Aliases: CVE-2024-33998 GHSA-xqhh-253w-4q5f |
Affected by 32 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
|
VCID-ybpa-c7eh-syam
Aliases: CVE-2024-25982 GHSA-7pjp-fm93-p6pj |
Cross-Site Request Forgery in moodle The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. |
Affected by 44 other vulnerabilities. Affected by 71 other vulnerabilities. |
|
VCID-ywxq-jkr8-3fat
Aliases: CVE-2024-48901 GHSA-mg54-p2wj-5ph7 |
Affected by 6 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
|
VCID-z25b-g2p4-37dc
Aliases: CVE-2024-45689 GHSA-j822-x5gg-5r56 |
Affected by 10 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
|
VCID-zaff-9ezm-aba1
Aliases: CVE-2025-67847 GHSA-xvmh-25jw-gmmm |
Moodle affected by a code injection vulnerability A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-zd4r-bn1p-27a5
Aliases: CVE-2026-26045 GHSA-ggxq-2mg9-8966 |
Moodle has a Remote Code Execution risk via file restore A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zstw-f2zz-gqfw
Aliases: CVE-2024-43431 GHSA-wwjf-gwrv-wh45 |
Affected by 13 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 47 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||