Total
589 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7532 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Moodle 3.x, course creators are able to change system default settings for courses. | |||||
| CVE-2017-2643 | 1 Moodle | 1 Moodle | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Moodle 3.2.x, global search displays user names for unauthenticated users. | |||||
| CVE-2017-7491 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.3 MEDIUM | 4.3 MEDIUM |
| In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. | |||||
| CVE-2017-2645 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Moodle 3.x, XSS can occur via attachments to evidence of prior learning. | |||||
| CVE-2016-3731 | 1 Moodle | 1 Moodle | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. | |||||
| CVE-2017-7298 | 1 Moodle | 1 Moodle | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. | |||||
| CVE-2016-7038 | 1 Moodle | 1 Moodle | 2025-04-20 | 5.0 MEDIUM | 7.3 HIGH |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | |||||
| CVE-2016-3733 | 1 Moodle | 1 Moodle | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. | |||||
| CVE-2016-3734 | 1 Moodle | 1 Moodle | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | |||||
| CVE-2014-3545 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.0 MEDIUM | N/A |
| Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. | |||||
| CVE-2015-5268 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value. | |||||
| CVE-2014-9059 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | N/A |
| lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. | |||||
| CVE-2014-3552 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.0 MEDIUM | N/A |
| The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. | |||||
| CVE-2016-2190 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. | |||||
| CVE-2014-7834 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
| mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. | |||||
| CVE-2015-3175 | 1 Moodle | 1 Moodle | 2025-04-12 | 5.8 MEDIUM | N/A |
| Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. | |||||
| CVE-2015-5337 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. | |||||
| CVE-2014-0217 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.3 MEDIUM | N/A |
| enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL. | |||||
| CVE-2014-0127 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.9 MEDIUM | N/A |
| The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time. | |||||
| CVE-2015-0217 | 1 Moodle | 1 Moodle | 2025-04-12 | 6.8 MEDIUM | N/A |
| filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. | |||||