| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured. |
| The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance. |
| A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts. |
| Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks. |
| Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information. |
| An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment. |
| The question bank filter required additional sanitizing to prevent a reflected XSS risk. |
| Insufficient sanitizing in the TeX notation filter resulted in an
arbitrary file read risk on sites where pdfTeX is available (such as
those with TeX Live installed). |
| Separate Groups mode restrictions were not factored into permission
checks before allowing viewing or deletion of responses in Feedback
activities. |
| Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. |
| The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. |
| Description information displayed in the site administration live log
required additional sanitizing to prevent a stored XSS risk. |
| A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. |
| Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. |
| Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. |
| Insufficient capability checks made it possible to disable badges a user does not have permission to access. |
| Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. |
| An SQL injection risk was identified in the module list filter within course search. |
| A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report. |
| A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators. |
