Filtered by vendor Moodle Subscriptions
Total 544 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2012-4400 1 Moodle 1 Moodle 2024-09-16 N/A
repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended upload-size restrictions via a -1 value in the maxbytes field.
CVE-2006-4937 1 Moodle 1 Moodle 2024-09-16 N/A
lib/setup.php in Moodle before 1.6.2 sets the error reporting level to 7 to display E_WARNING messages to users even if debugging is disabled, which might allow remote authenticated users to obtain sensitive information by triggering the messages.
CVE-2005-2247 1 Moodle 1 Moodle 2024-09-16 N/A
Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.
CVE-2009-4305 1 Moodle 1 Moodle 2024-09-16 N/A
SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an "escaping issue when processing AICC CRS file (Course_Title)."
CVE-2013-1829 1 Moodle 1 Moodle 2024-09-16 N/A
calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role.
CVE-2011-4298 1 Moodle 1 Moodle 2024-09-16 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki/ components in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allow remote attackers to hijack the authentication of arbitrary users for requests that modify wiki data.
CVE-2008-6124 2 Debian, Moodle 2 Debian Linux, Moodle 2024-09-16 N/A
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt.
CVE-2013-2243 1 Moodle 1 Moodle 2024-09-16 N/A
mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document.
CVE-2012-4401 1 Moodle 1 Moodle 2024-09-16 N/A
Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended capability restrictions and perform certain topic changes by leveraging course-editing capabilities.
CVE-2011-3757 1 Moodle 1 Moodle 2024-09-16 N/A
Moodle 2.0.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by webservice/xmlrpc/locallib.php and certain other files.
CVE-2006-4936 1 Moodle 1 Moodle 2024-09-16 N/A
Moodle before 1.6.2 does not properly validate the module instance id when creating a course module object, which has unspecified impact and remote attack vectors.
CVE-2013-4938 1 Moodle 1 Moodle 2024-09-16 N/A
The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values.
CVE-2018-1081 1 Moodle 1 Moodle 2024-09-16 5.3 Medium
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.
CVE-2006-4938 1 Moodle 1 Moodle 2024-09-16 N/A
help.php in Moodle before 1.6.2 does not check the existence of certain help files before including them, which might allow remote authenticated users to obtain the path in an error message.
CVE-2008-6125 2 Debian, Moodle 2 Debian Linux, Moodle 2024-09-16 N/A
Unspecified vulnerability in the user editing interface in Moodle 1.5.x, 1.6 before 1.6.6, and 1.7 before 1.7.3 allows remote authenticated users to gain privileges via unknown vectors.
CVE-2006-4943 1 Moodle 1 Moodle 2024-09-16 N/A
course/jumpto.php in Moodle before 1.6.2 does not validate the session key (sesskey) before providing content from arbitrary local URIs, which allows remote attackers to obtain sensitive information via the jump parameter.
CVE-2009-4302 1 Moodle 1 Moodle 2024-09-16 N/A
login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing.
CVE-2006-6626 1 Moodle 1 Moodle 2024-09-16 N/A
Cross-site scripting (XSS) vulnerability in an unspecified component of Moodle 1.5 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in the SRC attribute of an IMG element. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. NOTE: It is unclear whether this candidate overlaps CVE-2006-4784 or CVE-2006-4941.
CVE-2012-4408 1 Moodle 1 Moodle 2024-09-16 N/A
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation.
CVE-2013-4941 2 Moodle, Yahoo 2 Moodle, Yui 2024-09-16 N/A
Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL.