Search for packages
| purl | pkg:composer/moodle/moodle@4.2.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3898-265t-1yd5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. |
CVE-2023-5544
GHSA-j5xf-gv89-g422 |
| VCID-3pgc-yptg-tuaa | Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability H5P metadata automatically populated the author with the user's username, which could be sensitive information. |
CVE-2023-5545
GHSA-26fg-v32r-h663 |
| VCID-57pd-ath8-1yf9 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. |
CVE-2023-5539
GHSA-3xxm-3g3c-w579 |
| VCID-5v9k-wk4u-uuf9 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The course upload preview contained an XSS risk for users uploading unsafe data. |
CVE-2023-5547
GHSA-9gqp-3g28-w9xc |
| VCID-9rv1-hn65-dbhe | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. |
CVE-2023-5540
GHSA-w8x2-w4qr-v3x4 |
| VCID-a8pk-18gr-mubw | Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. |
CVE-2023-5551
GHSA-jr83-8x65-xcr5 |
| VCID-aubk-tpgh-z7e2 | Improper Authorization When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. |
CVE-2023-5543
|
| VCID-cpxg-pzcj-73gn | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. |
CVE-2023-5541
GHSA-28gc-4qq5-8q26 |
| VCID-fb4d-p8pw-yka4 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. |
CVE-2023-5550
GHSA-5cvx-cwpx-9rjh |
| VCID-gqwn-qskg-qbc7 | Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. |
CVE-2023-5548
GHSA-cwh2-q44x-5w3c |
| VCID-p9vn-r312-1beg | Moodle Improper Access Control vulnerability Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they does not have the capability to manage. |
CVE-2023-5549
GHSA-fm5h-58g2-4m3f |
| VCID-qmcu-uyur-r7bg | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. |
CVE-2023-5546
GHSA-9724-h8p7-r3jv |