CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Moodle : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43560 668 2021-11-22 2021-11-26
5.0
None Remote Low Not required Partial None None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
2 CVE-2021-43559 352 CSRF 2021-11-22 2021-11-26
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
3 CVE-2021-43558 79 XSS 2021-11-22 2021-11-26
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
4 CVE-2021-32244 79 XSS 2021-06-16 2021-06-21
3.5
None Remote Medium ??? None Partial None
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
5 CVE-2021-21809 732 Exec Code 2021-06-23 2021-10-12
9.0
None Remote Low ??? Complete Complete Complete
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
6 CVE-2021-20283 863 2021-03-15 2021-03-23
4.0
None Remote Low ??? Partial None None
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
7 CVE-2021-20282 863 2021-03-15 2021-03-23
5.0
None Remote Low Not required None Partial None
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
8 CVE-2021-20281 200 +Info 2021-03-15 2021-03-23
5.0
None Remote Low Not required Partial None None
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
9 CVE-2021-20280 79 XSS 2021-03-15 2021-11-17
3.5
None Remote Medium ??? None Partial None
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
10 CVE-2021-20279 79 XSS 2021-03-15 2021-03-23
3.5
None Remote Medium ??? None Partial None
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
11 CVE-2021-20187 94 2021-01-28 2021-02-01
6.5
None Remote Low ??? Partial Partial Partial
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
12 CVE-2021-20186 79 XSS 2021-01-28 2021-02-01
2.1
None Remote High ??? Partial None None
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.
13 CVE-2021-20185 400 DoS 2021-01-28 2021-02-04
5.0
None Remote Low Not required None None Partial
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
14 CVE-2021-20184 354 2021-01-28 2021-02-01
4.0
None Remote Low ??? Partial None None
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
15 CVE-2021-20183 79 XSS 2021-01-28 2021-02-01
4.3
None Remote Medium Not required None Partial None
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
16 CVE-2021-3943 20 Exec Code 2021-11-22 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
17 CVE-2020-25703 200 +Info 2020-11-19 2021-10-19
5.0
None Remote Low Not required Partial None None
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.
18 CVE-2020-25702 79 XSS 2020-11-19 2020-12-03
4.3
None Remote Medium Not required None Partial None
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.
19 CVE-2020-25701 863 2020-11-19 2020-12-01
5.0
None Remote Low Not required None Partial None
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
20 CVE-2020-25700 89 Sql 2020-11-19 2020-12-03
4.0
None Remote Low ??? None Partial None
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.
21 CVE-2020-25699 863 2020-11-19 2021-10-19
5.0
None Remote Low Not required None Partial None
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
22 CVE-2020-25698 2020-11-19 2020-12-02
5.0
None Remote Low Not required None Partial None
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
23 CVE-2020-25631 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.
24 CVE-2020-25630 400 DoS 2020-12-08 2020-12-08
5.0
None Remote Low Not required None None Partial
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
25 CVE-2020-25629 284 2020-12-08 2020-12-08
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
26 CVE-2020-25628 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
27 CVE-2020-25627 79 XSS 2020-12-09 2020-12-10
4.3
None Remote Medium Not required None Partial None
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
28 CVE-2020-10738 20 Exec Code 2020-05-21 2020-05-22
6.5
None Remote Low ??? Partial Partial Partial
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
29 CVE-2020-1692 200 +Info 2020-02-17 2020-02-20
4.0
None Remote Low ??? Partial None None
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
30 CVE-2019-18210 79 XSS 2020-02-11 2020-02-13
3.5
None Remote Medium ??? None Partial None
Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."
31 CVE-2019-14884 79 XSS 2020-03-18 2020-03-19
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.
32 CVE-2019-14883 862 2020-03-18 2020-10-09
4.3
None Remote Medium Not required Partial None None
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
33 CVE-2019-14882 601 2020-03-18 2020-03-19
5.8
None Remote Medium Not required Partial Partial None
A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page.
34 CVE-2019-14881 79 XSS 2020-03-18 2020-04-01
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.
35 CVE-2019-14880 2020-03-31 2020-04-02
6.4
None Remote Low Not required Partial Partial None
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
36 CVE-2019-14879 273 2020-01-07 2020-03-31
5.5
None Remote Low ??? Partial Partial None
A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked (where applicable).
37 CVE-2019-14831 601 2021-03-19 2021-03-22
5.8
None Remote Medium Not required Partial Partial None
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.
38 CVE-2019-14830 601 2021-03-19 2021-03-22
5.8
None Remote Medium Not required Partial Partial None
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
39 CVE-2019-14829 573 2021-03-19 2021-03-22
4.0
None Remote Low ??? None Partial None
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
40 CVE-2019-14828 285 2021-03-19 2021-03-22
4.0
None Remote Low ??? None Partial None
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
41 CVE-2019-14827 94 2021-05-17 2021-06-01
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
42 CVE-2019-10189 2019-07-31 2020-10-01
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
43 CVE-2019-10188 2019-07-31 2020-09-30
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
44 CVE-2019-10187 862 2019-07-31 2020-10-01
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
45 CVE-2019-10186 352 CSRF 2019-07-31 2019-08-27
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
46 CVE-2019-10154 2019-06-26 2020-09-30
5.0
None Remote Low Not required Partial None None
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
47 CVE-2019-10134 2019-06-26 2021-10-28
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
48 CVE-2019-10133 601 2019-06-26 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
49 CVE-2019-6970 918 2019-03-21 2019-03-22
6.0
None Remote Medium ??? Partial Partial Partial
Moodle 3.5.x before 3.5.4 allows SSRF.
50 CVE-2019-3852 2019-03-26 2020-08-24
4.0
None Remote Low ??? None Partial None
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities
Total number of vulnerabilities : 428   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.