Total
590 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-2354 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL. | |||||
CVE-2012-2353 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to obtain sensitive user information from hidden fields by leveraging the teacher role and navigating to "Enrolled users" under the Users Settings section. | |||||
CVE-2012-2360 | 1 Moodle | 1 Moodle | 2025-04-11 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted string that is inserted into a page title. | |||||
CVE-2012-0796 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header. | |||||
CVE-2013-1832 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. | |||||
CVE-2010-1619 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. | |||||
CVE-2012-6106 | 1 Moodle | 1 Moodle | 2025-04-11 | 5.5 MEDIUM | N/A |
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object. | |||||
CVE-2012-5480 | 1 Moodle | 1 Moodle | 2025-04-11 | 6.4 MEDIUM | N/A |
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. | |||||
CVE-2013-3630 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.6 MEDIUM | N/A |
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. | |||||
CVE-2013-5674 | 1 Moodle | 1 Moodle | 2025-04-11 | 7.5 HIGH | N/A |
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. | |||||
CVE-2013-2245 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. | |||||
CVE-2012-5479 | 1 Moodle | 1 Moodle | 2025-04-11 | 6.5 MEDIUM | N/A |
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback. | |||||
CVE-2013-1831 | 1 Moodle | 1 Moodle | 2025-04-11 | 5.0 MEDIUM | N/A |
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. | |||||
CVE-2012-3391 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly implement the requirement for posting before reading a Q&A forum, which allows remote authenticated users to bypass intended access restrictions by leveraging the student role and reading the RSS feed for a forum. | |||||
CVE-2011-4304 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to discover the name of any user via a beep operation. | |||||
CVE-2012-3396 | 1 Moodle | 1 Moodle | 2025-04-11 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. | |||||
CVE-2012-6099 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.0 MEDIUM | N/A |
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. | |||||
CVE-2012-6102 | 1 Moodle | 1 Moodle | 2025-04-11 | 6.4 MEDIUM | N/A |
lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI. | |||||
CVE-2011-4278 | 1 Moodle | 1 Moodle | 2025-04-11 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the tag autocomplete functionality in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-6087 | 1 Moodle | 1 Moodle | 2025-04-11 | 5.8 MEDIUM | N/A |
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. |