VulnerableCode Package Details - pkg:composer/moodle/moodle@4.3.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-dp61-6ban-cyda Aliases: CVE-2024-28593 GHSA-f6mh-79vh-2hv7	Cross-site Scripting in Moodle Chat The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-dp61-6ban-cyda
Aliases:
CVE-2024-28593
GHSA-f6mh-79vh-2hv7

Cross-site Scripting in Moodle Chat The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-6726-ca8y-4uez	Improper Access Control in moodle Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.	CVE-2024-25981 GHSA-jfrg-9hpq-9hvp
VCID-gycn-bey2-4yam	Improper Access Control in moodle Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.	CVE-2024-25980 GHSA-cp8m-h777-g4p3
VCID-mhh7-n7ut-hkh6	Improper Handling of Parameters in moodle The URL parameters accepted by forum search were not limited to the allowed parameters.	CVE-2024-25979 GHSA-6vjf-48fh-vxxj
VCID-qabh-bpmn-1ye5	Cross-Site Request Forgery in moodle The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.	CVE-2024-25982 GHSA-7pjp-fm93-p6pj
VCID-r1ug-e8x6-83gt	Uncontrolled Resource Consumption Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.	CVE-2024-25978 GHSA-487g-3m3v-hjhq
VCID-yc6t-am1p-x3ev	Authorization Bypass in moodle Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).	CVE-2024-25983 GHSA-9r26-5w88-qhp9

Vulnerability

Summary

Aliases

VCID-6726-ca8y-4uez

Improper Access Control in moodle Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

CVE-2024-25981
GHSA-jfrg-9hpq-9hvp

VCID-gycn-bey2-4yam

Improper Access Control in moodle Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

CVE-2024-25980
GHSA-cp8m-h777-g4p3

VCID-mhh7-n7ut-hkh6

Improper Handling of Parameters in moodle The URL parameters accepted by forum search were not limited to the allowed parameters.

CVE-2024-25979
GHSA-6vjf-48fh-vxxj

VCID-qabh-bpmn-1ye5

Cross-Site Request Forgery in moodle The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

CVE-2024-25982
GHSA-7pjp-fm93-p6pj

VCID-r1ug-e8x6-83gt

Uncontrolled Resource Consumption Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

CVE-2024-25978
GHSA-487g-3m3v-hjhq

VCID-yc6t-am1p-x3ev

Authorization Bypass in moodle Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

CVE-2024-25983
GHSA-9r26-5w88-qhp9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:25.944170+00:00	GitLab Importer	Affected by	VCID-dp61-6ban-cyda	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-28593.yml	38.6.0
2026-06-02T04:47:07.417366+00:00	GitLab Importer	Fixing	VCID-mhh7-n7ut-hkh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25979.yml	38.6.0
2026-06-02T04:47:07.346713+00:00	GitLab Importer	Fixing	VCID-qabh-bpmn-1ye5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25982.yml	38.6.0
2026-06-02T04:47:07.109536+00:00	GitLab Importer	Fixing	VCID-6726-ca8y-4uez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25981.yml	38.6.0
2026-06-02T04:47:07.039902+00:00	GitLab Importer	Fixing	VCID-gycn-bey2-4yam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25980.yml	38.6.0
2026-06-02T04:47:06.974095+00:00	GitLab Importer	Fixing	VCID-r1ug-e8x6-83gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25978.yml	38.6.0
2026-06-02T04:47:06.897234+00:00	GitLab Importer	Fixing	VCID-yc6t-am1p-x3ev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/moodle/moodle/CVE-2024-25983.yml	38.6.0