Search for packages
| purl | pkg:composer/moodle/moodle@2.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1wv6-qr58-zqdy
Aliases: CVE-2011-4280 GHSA-mx5g-3vxh-rgm8 |
Moodle vulnerable to XSS via bundled spikephpcoverage library Cross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka spikephpcoverage) library, as used in Moodle 2.0.x before 2.0.2 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. |
|
VCID-3fz6-js97-dude
Aliases: CVE-2013-1836 GHSA-664q-mrxx-2x2v |
Moodle does not properly manage privileges for WebDAV repositories Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. |
Affected by 0 other vulnerabilities. Affected by 220 other vulnerabilities. Affected by 223 other vulnerabilities. |
|
VCID-4ays-sgtv-2ugg
Aliases: CVE-2012-1156 GHSA-358r-g2xw-7c83 |
Moodle backs up private files Moodle before 2.2.2, 2.1.5, and 2.0.8 had users' private files included in course backups unnecessarily. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5kxb-cjhz-fqc7
Aliases: CVE-2011-4286 GHSA-86v9-gqh9-8268 |
Moodle vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in the media-filter implementation in filter/mediaplugin/filter.php in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) Flash Video (aka FLV) files and (2) YouTube videos. |
Affected by 0 other vulnerabilities. |
|
VCID-7wfy-ub8w-zub2
Aliases: CVE-2011-4298 GHSA-8hxm-42v5-66hm |
Moodle vulnerable to Cross-Site Request Forgery Multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki/ components in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allow remote attackers to hijack the authentication of arbitrary users for requests that modify wiki data. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-99gv-grn8-qbah
Aliases: CVE-2011-4289 GHSA-3qg4-2fcm-c8f9 |
Moodle does not recogniz configuration setting that makes e-mail addresses visible only to course members Moodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page. |
Affected by 0 other vulnerabilities. |
|
VCID-9vnd-cada-2ufg
Aliases: CVE-2011-4301 GHSA-jcrj-gmr6-p5j8 |
Moodle Allows Modification of Constants The `MoodleQuickForm` class in the Forms Library in `lib/formslib.php` in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API `setConstant` operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a7ec-cy7v-sugb
Aliases: CVE-2011-4291 GHSA-m2pf-4pf8-45j2 |
Moodle allows remote authenticated users to cause a denial of service (invalid database records) Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted ratings operations. |
Affected by 0 other vulnerabilities. |
|
VCID-c6cg-mekw-bfc9
Aliases: CVE-2011-4299 GHSA-h6px-pvfh-q2jv |
Moodle vulnerable to Cross-Site Scripting Cross-site scripting (XSS) vulnerability in mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via a wiki comment. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dyq2-6y2d-4fft
Aliases: CVE-2011-4292 GHSA-fhgh-fjh9-vq62 |
Moodle allows remote authenticated users to cause a denial of service (invalid database records) Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations. |
Affected by 0 other vulnerabilities. |
|
VCID-fk37-49yf-rug8
Aliases: CVE-2013-1835 GHSA-cc94-hwj3-rf65 |
Moodle's login_as feature leaks information from external repositories Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. |
Affected by 0 other vulnerabilities. Affected by 220 other vulnerabilities. Affected by 223 other vulnerabilities. |
|
VCID-gkth-mga1-zbfm
Aliases: CVE-2011-4279 GHSA-phqj-xp48-7p7c |
Moodle does not use the forceloginforprofiles setting for course-profiles access control Moodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista. |
Affected by 0 other vulnerabilities. |
|
VCID-hum9-nt6p-6kde
Aliases: CVE-2011-4293 GHSA-wxvp-8q8h-r6rr |
Moodle Double-Caches Content, Potentially Writing to a File System's Tmp Directory The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j6nc-cnze-53dr
Aliases: CVE-2011-4203 GHSA-4w8m-96v9-2c86 |
Moodle CRLF Injection Vulnerability in Calendar Component CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jmkp-5gsj-vfg7
Aliases: CVE-2011-4287 GHSA-j3x5-cwfj-pfcw |
Moodle does not force password changes for autosubscribed users admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user. |
Affected by 0 other vulnerabilities. |
|
VCID-jzrm-6rf1-jyap
Aliases: CVE-2011-4278 GHSA-6656-6qwx-4c2m |
Moodle XSS In Tag Autocomplete functionality Cross-site scripting (XSS) vulnerability in the tag autocomplete functionality in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 0 other vulnerabilities. |
|
VCID-kgtb-s2y4-juh8
Aliases: CVE-2013-1833 GHSA-89f3-74m6-g27g |
Moodle Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 220 other vulnerabilities. Affected by 223 other vulnerabilities. |
|
VCID-nfyh-8p8f-6qhc
Aliases: CVE-2011-4297 GHSA-62wv-866c-rh86 |
Moodle does not properly restrict comment capabilities comment/lib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not properly restrict comment capabilities, which allows remote attackers to post a comment by leveraging the guest role and operating on a front-page activity. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nyge-5v2a-6fh7
Aliases: CVE-2012-1159 GHSA-p9hr-f4xj-8w8r |
Moodle included private user files in course backups Moodle before 2.2.2 is vulnerable to information disclosure because course backups were including users' private files. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-px25-bftd-akac
Aliases: CVE-2011-4283 GHSA-m3xp-4hf3-qfpp |
Moodle allows remote attackers to obtain sensitive information Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterprise enrolment file in the course-files area, which allows remote attackers to obtain sensitive information via a request for imsenterprise-enrol.xml. |
Affected by 0 other vulnerabilities. |
|
VCID-ts9s-qsve-37dw
Aliases: CVE-2012-0797 GHSA-72gv-qqrp-h9qg |
Moodle Users Can Bypass Deleted Status The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-u46z-bhkp-sqg1
Aliases: CVE-2011-4281 GHSA-m97f-x4mr-4x3q |
Moodle vulnerable to Cross-Site Request Forgery Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 2.0.x before 2.0.2 allow remote attackers to hijack the authentication of arbitrary users for requests that mark the completion of (1) an activity or (2) a course. |
Affected by 0 other vulnerabilities. |
|
VCID-uert-vark-uyb4
Aliases: CVE-2011-4300 GHSA-9p54-pc88-36c4 |
Moodle does not properly restrict access to category and course data The `file_browser` component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vke8-nrkb-f7hm
Aliases: CVE-2011-4282 GHSA-6xqg-f34f-5fjx |
Moodle vulnerable to Cross-site Scripting Multiple cross-site scripting (XSS) vulnerabilities in the course-tags functionality in tag/coursetags_more.php in Moodle 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) sort or (2) show parameter. |
Affected by 0 other vulnerabilities. |
|
VCID-vpm4-thxc-tqb6
Aliases: CVE-2012-1157 GHSA-2x36-7xfm-pgm7 |
Moodle default permissions too permissive Moodle before 2.2.2 default settings allowed all repositories to be viewable by all authenticated users. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-weqz-n7rq-6ubc
Aliases: CVE-2011-4294 GHSA-hxmp-8f47-x9fc |
Moodle Open Redirect Via Error Messages The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via error message links that lead offsite. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wqjj-dtxm-wkdb
Aliases: CVE-2011-4284 GHSA-mw6p-49jf-9935 |
Moodle allows remote attackers to obtain sensitive information from myprofile block by visiting user-context page Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile (aka My profile) block by visiting a user-context page. |
Affected by 0 other vulnerabilities. |
|
VCID-wt2b-gzqy-p7c3
Aliases: CVE-2011-4285 GHSA-8vjj-wf73-w882 |
Moodle Incorrect Default Settings The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the `moodle/course:delete` capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role. |
Affected by 0 other vulnerabilities. |
|
VCID-yf7v-fq77-7fgs
Aliases: CVE-2013-1832 GHSA-pgp5-rcwp-qvfg |
Moodle includes the WebDAV password in the configuration form repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. |
Affected by 0 other vulnerabilities. Affected by 220 other vulnerabilities. Affected by 223 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||