Filtered by vendor Moodle
Subscriptions
Total
544 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-14631 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter. | ||||
| CVE-2018-14630 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. | ||||
| CVE-2018-10890 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. | ||||
| CVE-2018-10889 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. | ||||
| CVE-2018-10891 | 1 Moodle | 1 Moodle | 2024-08-05 | 7.3 High |
| A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank. | ||||
| CVE-2018-1135 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL. | ||||
| CVE-2018-1134 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL. | ||||
| CVE-2018-1137 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack. | ||||
| CVE-2018-1133 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection. | ||||
| CVE-2018-1136 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users. | ||||
| CVE-2018-1043 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames. | ||||
| CVE-2018-1045 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| In Moodle 3.x, there is XSS via a calendar event name. | ||||
| CVE-2018-1042 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| Moodle 3.x has Server Side Request Forgery in the filepicker. | ||||
| CVE-2018-1044 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings. | ||||
| CVE-2019-18210 | 1 Moodle | 1 Moodle | 2024-08-05 | 5.4 Medium |
| Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug." | ||||
| CVE-2019-14884 | 1 Moodle | 1 Moodle | 2024-08-05 | 6.1 Medium |
| A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. | ||||
| CVE-2019-14880 | 1 Moodle | 1 Moodle | 2024-08-05 | 9.1 Critical |
| A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. | ||||
| CVE-2019-14882 | 1 Moodle | 1 Moodle | 2024-08-05 | 6.1 Medium |
| A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. | ||||
| CVE-2019-14881 | 1 Moodle | 1 Moodle | 2024-08-05 | 6.1 Medium |
| A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed. | ||||
| CVE-2019-14830 | 1 Moodle | 1 Moodle | 2024-08-05 | 6.1 Medium |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app"). | ||||