{"url":"http://public2.vulnerablecode.io/api/packages/53200?format=json","purl":"pkg:composer/moodle/moodle@3.2.0","type":"composer","namespace":"moodle","name":"moodle","version":"3.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.2.9","latest_non_vulnerable_version":"5.1.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38613?format=json","vulnerability_id":"VCID-2dxb-v1af-jbax","summary":"Cross-Site Request Forgery (CSRF)\nA CSRF attack is possible that allows attackers to change the \"number of courses displayed in the course overview block\" configuration setting.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=352355","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=352355"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7491","reference_id":"CVE-2017-7491","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7491"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53398?format=json","purl":"pkg:composer/moodle/moodle@3.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q2fa-jymp-c3bb"},{"vulnerability":"VCID-yp82-zj5g-pbaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.3"}],"aliases":["CVE-2017-7491"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2dxb-v1af-jbax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38525?format=json","vulnerability_id":"VCID-2qjr-wjh1-8fh6","summary":"Information Exposure\nIn Moodle global search displays user names for unauthenticated users.","references":[{"reference_url":"http://www.securityfocus.com/bid/96978","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/96978"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2643","reference_id":"CVE-2017-2643","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2643"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53388?format=json","purl":"pkg:composer/moodle/moodle@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dxb-v1af-jbax"},{"vulnerability":"VCID-5rbf-4dz3-2qdz"},{"vulnerability":"VCID-b1q7-u3cx-ukej"},{"vulnerability":"VCID-vtq4-fpr8-hudb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.2"}],"aliases":["CVE-2017-2643"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qjr-wjh1-8fh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38615?format=json","vulnerability_id":"VCID-5rbf-4dz3-2qdz","summary":"Improper Privilege Management\nRemote authenticated users can take ownership of arbitrary blogs by editing an external blog link.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=352353","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=352353"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7489","reference_id":"CVE-2017-7489","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7489"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53398?format=json","purl":"pkg:composer/moodle/moodle@3.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q2fa-jymp-c3bb"},{"vulnerability":"VCID-yp82-zj5g-pbaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.3"}],"aliases":["CVE-2017-7489"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5rbf-4dz3-2qdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38453?format=json","vulnerability_id":"VCID-65y9-9ur2-pugc","summary":"Improper Input Validation\nThere is incorrect sanitization of attributes in forums.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=345912","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=345912"},{"reference_url":"http://www.securityfocus.com/bid/95649","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/95649"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2576","reference_id":"CVE-2017-2576","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2576"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53202?format=json","purl":"pkg:composer/moodle/moodle@3.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qjr-wjh1-8fh6"},{"vulnerability":"VCID-dhku-uah4-ykh8"},{"vulnerability":"VCID-jn5n-6hg9-tyf7"},{"vulnerability":"VCID-x927-nh46-7fdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.1"}],"aliases":["CVE-2017-2576"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-65y9-9ur2-pugc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39173?format=json","vulnerability_id":"VCID-83kb-4mk9-t7ge","summary":"Information Exposure\nStudents can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=361784","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=361784"},{"reference_url":"http://www.securityfocus.com/bid/101909","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/101909"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15110","reference_id":"CVE-2017-15110","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15110"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54109?format=json","purl":"pkg:composer/moodle/moodle@3.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ajkr-fxa1-mkhk"},{"vulnerability":"VCID-duna-st9c-mqbk"},{"vulnerability":"VCID-nc2j-pay7-ryab"},{"vulnerability":"VCID-yghg-775s-vber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/54110?format=json","purl":"pkg:composer/moodle/moodle@3.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ajkr-fxa1-mkhk"},{"vulnerability":"VCID-duna-st9c-mqbk"},{"vulnerability":"VCID-nc2j-pay7-ryab"},{"vulnerability":"VCID-yghg-775s-vber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.3"}],"aliases":["CVE-2017-15110"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-83kb-4mk9-t7ge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38851?format=json","vulnerability_id":"VCID-9nd7-4wve-97hc","summary":"Information Exposure\nVarious course reports allow teachers to view details about users in the groups they cannot access.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=358586","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=358586"},{"reference_url":"http://www.securityfocus.com/bid/100848","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100848"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12157","reference_id":"CVE-2017-12157","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12157"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54107?format=json","purl":"pkg:composer/moodle/moodle@3.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-83kb-4mk9-t7ge"},{"vulnerability":"VCID-zgzm-wj81-jkah"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/53785?format=json","purl":"pkg:composer/moodle/moodle@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-83kb-4mk9-t7ge"},{"vulnerability":"VCID-zgzm-wj81-jkah"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.2"}],"aliases":["CVE-2017-12157"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9nd7-4wve-97hc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39322?format=json","vulnerability_id":"VCID-ajkr-fxa1-mkhk","summary":"Cross-site Scripting\nMoodle is vulnerable to XSS via a calendar event name.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=364384","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=364384"},{"reference_url":"http://www.securityfocus.com/bid/102755","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/102755"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1045","reference_id":"CVE-2018-1045","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1045"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54886?format=json","purl":"pkg:composer/moodle/moodle@3.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54887?format=json","purl":"pkg:composer/moodle/moodle@3.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.4"}],"aliases":["CVE-2018-1045"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajkr-fxa1-mkhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39653?format=json","vulnerability_id":"VCID-b7br-bh2d-rygp","summary":"Improper Input Validation\nAn issue was discovered in Moodle. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=371204","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=371204"},{"reference_url":"http://www.securityfocus.com/bid/104307","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104307"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1137","reference_id":"CVE-2018-1137","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1137"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55491?format=json","purl":"pkg:composer/moodle/moodle@3.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55492?format=json","purl":"pkg:composer/moodle/moodle@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55493?format=json","purl":"pkg:composer/moodle/moodle@3.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.3"}],"aliases":["CVE-2018-1137"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b7br-bh2d-rygp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39655?format=json","vulnerability_id":"VCID-ckg1-9vpt-yfdk","summary":"Improper Privilege Management\nAn issue was discovered in Moodle. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=371200","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=371200"},{"reference_url":"http://www.securityfocus.com/bid/104307","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104307"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1134","reference_id":"CVE-2018-1134","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1134"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55491?format=json","purl":"pkg:composer/moodle/moodle@3.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55492?format=json","purl":"pkg:composer/moodle/moodle@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55493?format=json","purl":"pkg:composer/moodle/moodle@3.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.3"}],"aliases":["CVE-2018-1134"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ckg1-9vpt-yfdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38523?format=json","vulnerability_id":"VCID-dhku-uah4-ykh8","summary":"SQL Injection\nAn SQL injection can occur via user preferences.","references":[{"reference_url":"http://www.securityfocus.com/bid/96977","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/96977"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2641","reference_id":"CVE-2017-2641","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2641"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53388?format=json","purl":"pkg:composer/moodle/moodle@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dxb-v1af-jbax"},{"vulnerability":"VCID-5rbf-4dz3-2qdz"},{"vulnerability":"VCID-b1q7-u3cx-ukej"},{"vulnerability":"VCID-vtq4-fpr8-hudb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.2"}],"aliases":["CVE-2017-2641"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dhku-uah4-ykh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39325?format=json","vulnerability_id":"VCID-duna-st9c-mqbk","summary":"Information Exposure\nIn Moodle, the quiz web services allow students to see quiz results when it is prohibited in the settings.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=364383","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=364383"},{"reference_url":"http://www.securityfocus.com/bid/102754","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/102754"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1044","reference_id":"CVE-2018-1044","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1044"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54886?format=json","purl":"pkg:composer/moodle/moodle@3.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54887?format=json","purl":"pkg:composer/moodle/moodle@3.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/54896?format=json","purl":"pkg:composer/moodle/moodle@3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.1"}],"aliases":["CVE-2018-1044"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-duna-st9c-mqbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38451?format=json","vulnerability_id":"VCID-e2zc-7ujn-wybu","summary":"Cross-site Scripting\nThere is XSS in the assignment submission page.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=345915","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=345915"},{"reference_url":"http://www.securityfocus.com/bid/95647","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/95647"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2578","reference_id":"CVE-2017-2578","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2578"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53202?format=json","purl":"pkg:composer/moodle/moodle@3.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qjr-wjh1-8fh6"},{"vulnerability":"VCID-dhku-uah4-ykh8"},{"vulnerability":"VCID-jn5n-6hg9-tyf7"},{"vulnerability":"VCID-x927-nh46-7fdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.1"}],"aliases":["CVE-2017-2578"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e2zc-7ujn-wybu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39657?format=json","vulnerability_id":"VCID-fegs-ubsk-63hu","summary":"Information Exposure\nAn issue was discovered in Moodle. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=371201","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=371201"},{"reference_url":"http://www.securityfocus.com/bid/104307","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104307"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1135","reference_id":"CVE-2018-1135","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1135"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55491?format=json","purl":"pkg:composer/moodle/moodle@3.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55492?format=json","purl":"pkg:composer/moodle/moodle@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55493?format=json","purl":"pkg:composer/moodle/moodle@3.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.3"}],"aliases":["CVE-2018-1135"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fegs-ubsk-63hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39656?format=json","vulnerability_id":"VCID-g8ct-c4ce-zuaf","summary":"Cross-site Scripting\nAn issue was discovered in Moodle. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=371202","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=371202"},{"reference_url":"http://www.securityfocus.com/bid/104307","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104307"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1136","reference_id":"CVE-2018-1136","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1136"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55491?format=json","purl":"pkg:composer/moodle/moodle@3.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55492?format=json","purl":"pkg:composer/moodle/moodle@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55493?format=json","purl":"pkg:composer/moodle/moodle@3.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.3"}],"aliases":["CVE-2018-1136"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g8ct-c4ce-zuaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38522?format=json","vulnerability_id":"VCID-jn5n-6hg9-tyf7","summary":"Cross-site Scripting\nAn XSS can occur via evidence of prior learning.","references":[{"reference_url":"http://www.securityfocus.com/bid/96979","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/96979"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2644","reference_id":"CVE-2017-2644","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2644"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53388?format=json","purl":"pkg:composer/moodle/moodle@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dxb-v1af-jbax"},{"vulnerability":"VCID-5rbf-4dz3-2qdz"},{"vulnerability":"VCID-b1q7-u3cx-ukej"},{"vulnerability":"VCID-vtq4-fpr8-hudb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.2"}],"aliases":["CVE-2017-2644"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jn5n-6hg9-tyf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39536?format=json","vulnerability_id":"VCID-m4zv-e3dn-budf","summary":"Improper Access Control\nUnauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=367938","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=367938"},{"reference_url":"http://www.securityfocus.com/bid/103728","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/103728"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1081","reference_id":"CVE-2018-1081","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1081"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55319?format=json","purl":"pkg:composer/moodle/moodle@3.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b7br-bh2d-rygp"},{"vulnerability":"VCID-ckg1-9vpt-yfdk"},{"vulnerability":"VCID-fegs-ubsk-63hu"},{"vulnerability":"VCID-g8ct-c4ce-zuaf"},{"vulnerability":"VCID-p2gd-7uam-mqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/55320?format=json","purl":"pkg:composer/moodle/moodle@3.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b7br-bh2d-rygp"},{"vulnerability":"VCID-ckg1-9vpt-yfdk"},{"vulnerability":"VCID-fegs-ubsk-63hu"},{"vulnerability":"VCID-g8ct-c4ce-zuaf"},{"vulnerability":"VCID-p2gd-7uam-mqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/55321?format=json","purl":"pkg:composer/moodle/moodle@3.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b7br-bh2d-rygp"},{"vulnerability":"VCID-ckg1-9vpt-yfdk"},{"vulnerability":"VCID-fegs-ubsk-63hu"},{"vulnerability":"VCID-g8ct-c4ce-zuaf"},{"vulnerability":"VCID-p2gd-7uam-mqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.2"}],"aliases":["CVE-2018-1081"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m4zv-e3dn-budf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39328?format=json","vulnerability_id":"VCID-nc2j-pay7-ryab","summary":"Insufficient Access Control\nThe setting for blocked hosts list can be bypassed with multiple A record `hostnames`.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=364382","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=364382"},{"reference_url":"http://www.securityfocus.com/bid/102769","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/102769"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1043","reference_id":"CVE-2018-1043","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1043"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54886?format=json","purl":"pkg:composer/moodle/moodle@3.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54887?format=json","purl":"pkg:composer/moodle/moodle@3.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/54896?format=json","purl":"pkg:composer/moodle/moodle@3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.1"}],"aliases":["CVE-2018-1043"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nc2j-pay7-ryab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39654?format=json","vulnerability_id":"VCID-p2gd-7uam-mqf8","summary":"Injection Vulnerability\nAn issue was discovered in Moodle. A Teacher creating a Calculated question can intentionally cause remote code execution on the server.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=371199","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=371199"},{"reference_url":"https://www.exploit-db.com/exploits/46551/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/46551/"},{"reference_url":"http://www.securityfocus.com/bid/104307","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/104307"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1133","reference_id":"CVE-2018-1133","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1133"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55491?format=json","purl":"pkg:composer/moodle/moodle@3.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55492?format=json","purl":"pkg:composer/moodle/moodle@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/55493?format=json","purl":"pkg:composer/moodle/moodle@3.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.3"}],"aliases":["CVE-2018-1133"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p2gd-7uam-mqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38688?format=json","vulnerability_id":"VCID-q2fa-jymp-c3bb","summary":"Information Exposure\nMoodle has a user fullname disclosure through the user preferences page.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=355554","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=355554"},{"reference_url":"http://www.securityfocus.com/bid/99606","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/99606"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2642","reference_id":"CVE-2017-2642","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2642"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53784?format=json","purl":"pkg:composer/moodle/moodle@3.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9nd7-4wve-97hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/53785?format=json","purl":"pkg:composer/moodle/moodle@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-83kb-4mk9-t7ge"},{"vulnerability":"VCID-zgzm-wj81-jkah"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.2"}],"aliases":["CVE-2017-2642"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q2fa-jymp-c3bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38612?format=json","vulnerability_id":"VCID-vtq4-fpr8-hudb","summary":"Exposure of Resource to Wrong Sphere\nIn Moodle, searching of arbitrary blogs is possible because a capability check is missing.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=352354","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=352354"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7490","reference_id":"CVE-2017-7490","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7490"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53398?format=json","purl":"pkg:composer/moodle/moodle@3.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q2fa-jymp-c3bb"},{"vulnerability":"VCID-yp82-zj5g-pbaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.3"}],"aliases":["CVE-2017-7490"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vtq4-fpr8-hudb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38524?format=json","vulnerability_id":"VCID-x927-nh46-7fdy","summary":"Cross-site Scripting\nIn Moodle, an XSS can occur via attachments to evidence of prior learning.","references":[{"reference_url":"http://www.securityfocus.com/bid/96982","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/96982"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2645","reference_id":"CVE-2017-2645","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2645"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53388?format=json","purl":"pkg:composer/moodle/moodle@3.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2dxb-v1af-jbax"},{"vulnerability":"VCID-5rbf-4dz3-2qdz"},{"vulnerability":"VCID-b1q7-u3cx-ukej"},{"vulnerability":"VCID-vtq4-fpr8-hudb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.2"}],"aliases":["CVE-2017-2645"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x927-nh46-7fdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39329?format=json","vulnerability_id":"VCID-yghg-775s-vber","summary":"Server-Side Request Forgery (SSRF)\nMoodle has Server Side Request Forgery in the `filepicker`.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=364381","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=364381"},{"reference_url":"http://www.securityfocus.com/bid/102752","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/102752"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1042","reference_id":"CVE-2018-1042","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1042"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54886?format=json","purl":"pkg:composer/moodle/moodle@3.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/54887?format=json","purl":"pkg:composer/moodle/moodle@3.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/54896?format=json","purl":"pkg:composer/moodle/moodle@3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fygy-9njn-abgd"},{"vulnerability":"VCID-m4zv-e3dn-budf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.4.1"}],"aliases":["CVE-2018-1042"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yghg-775s-vber"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38681?format=json","vulnerability_id":"VCID-yp82-zj5g-pbaf","summary":"Improper Privilege Management\nCourse creators are able to change system default settings for courses.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=355556","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=355556"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7532","reference_id":"CVE-2017-7532","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7532"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53784?format=json","purl":"pkg:composer/moodle/moodle@3.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9nd7-4wve-97hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/53785?format=json","purl":"pkg:composer/moodle/moodle@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-83kb-4mk9-t7ge"},{"vulnerability":"VCID-zgzm-wj81-jkah"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.2"}],"aliases":["CVE-2017-7532"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yp82-zj5g-pbaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38850?format=json","vulnerability_id":"VCID-zgzm-wj81-jkah","summary":"Cross-site Scripting\nMoodle has an XSS in the contact form on the \"non-respondents\" page in non-anonymous feedback.","references":[{"reference_url":"https://moodle.org/mod/forum/discuss.php?d=358585","reference_id":"","reference_type":"","scores":[],"url":"https://moodle.org/mod/forum/discuss.php?d=358585"},{"reference_url":"http://www.securityfocus.com/bid/100867","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100867"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12156","reference_id":"CVE-2017-12156","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12156"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54109?format=json","purl":"pkg:composer/moodle/moodle@3.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ajkr-fxa1-mkhk"},{"vulnerability":"VCID-duna-st9c-mqbk"},{"vulnerability":"VCID-nc2j-pay7-ryab"},{"vulnerability":"VCID-yghg-775s-vber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/54110?format=json","purl":"pkg:composer/moodle/moodle@3.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ajkr-fxa1-mkhk"},{"vulnerability":"VCID-duna-st9c-mqbk"},{"vulnerability":"VCID-nc2j-pay7-ryab"},{"vulnerability":"VCID-yghg-775s-vber"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.3.3"}],"aliases":["CVE-2017-12156"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zgzm-wj81-jkah"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/moodle/moodle@3.2.0"}