CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Moodle : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43558 79 XSS 2021-11-22 2021-11-26
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
2 CVE-2021-20283 863 2021-03-15 2021-03-23
4.0
None Remote Low ??? Partial None None
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
3 CVE-2021-20184 354 2021-01-28 2021-02-01
4.0
None Remote Low ??? Partial None None
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
4 CVE-2021-20183 79 XSS 2021-01-28 2021-02-01
4.3
None Remote Medium Not required None Partial None
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
5 CVE-2020-25702 79 XSS 2020-11-19 2020-12-03
4.3
None Remote Medium Not required None Partial None
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.
6 CVE-2020-25700 89 Sql 2020-11-19 2020-12-03
4.0
None Remote Low ??? None Partial None
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.
7 CVE-2020-25631 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.
8 CVE-2020-25628 79 XSS 2020-12-08 2020-12-08
4.3
None Remote Medium Not required None Partial None
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
9 CVE-2020-25627 79 XSS 2020-12-09 2020-12-10
4.3
None Remote Medium Not required None Partial None
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.
10 CVE-2020-1692 200 +Info 2020-02-17 2020-02-20
4.0
None Remote Low ??? Partial None None
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
11 CVE-2019-14884 79 XSS 2020-03-18 2020-03-19
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages.
12 CVE-2019-14883 862 2020-03-18 2020-10-09
4.3
None Remote Medium Not required Partial None None
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
13 CVE-2019-14881 79 XSS 2020-03-18 2020-04-01
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed.
14 CVE-2019-14829 573 2021-03-19 2021-03-22
4.0
None Remote Low ??? None Partial None
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
15 CVE-2019-14828 285 2021-03-19 2021-03-22
4.0
None Remote Low ??? None Partial None
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
16 CVE-2019-14827 94 2021-05-17 2021-06-01
4.3
None Remote Medium Not required None Partial None
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
17 CVE-2019-10189 2019-07-31 2020-10-01
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
18 CVE-2019-10188 2019-07-31 2020-09-30
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
19 CVE-2019-10187 862 2019-07-31 2020-10-01
4.0
None Remote Low ??? None Partial None
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
20 CVE-2019-10134 2019-06-26 2021-10-28
4.3
None Remote Medium Not required None Partial None
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
21 CVE-2019-3852 2019-03-26 2020-08-24
4.0
None Remote Low ??? None Partial None
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities
22 CVE-2019-3851 2019-03-26 2020-08-24
4.0
None Remote Low ??? None Partial None
A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.
23 CVE-2019-3848 863 2019-03-26 2021-11-02
4.0
None Remote Low ??? Partial None None
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
24 CVE-2019-3808 79 XSS 2019-03-25 2020-10-19
4.0
None Remote Low ??? None Partial None
A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.
25 CVE-2018-14631 79 XSS 2018-09-17 2019-10-09
4.3
None Remote Medium Not required None Partial None
moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.
26 CVE-2018-1136 79 XSS 2018-05-25 2019-10-03
4.0
None Remote Low ??? Partial None None
An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other pages where they can be viewed by other users.
27 CVE-2018-1135 200 +Info 2018-05-25 2018-06-25
4.0
None Remote Low ??? Partial None None
An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL.
28 CVE-2018-1134 269 2018-05-25 2019-10-03
4.0
None Remote Low ??? Partial None None
An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.
29 CVE-2018-1044 200 +Info 2018-01-22 2018-02-05
4.0
None Remote Low ??? Partial None None
In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.
30 CVE-2018-1043 Bypass 2018-01-22 2019-10-03
4.0
None Remote Low ??? None Partial None
In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.
31 CVE-2018-1042 918 2018-01-22 2019-07-27
4.0
None Remote Low ??? Partial None None
Moodle 3.x has Server Side Request Forgery in the filepicker.
32 CVE-2017-15110 200 +Info 2017-11-20 2017-12-06
4.0
None Remote Low ??? Partial None None
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.
33 CVE-2017-12157 200 +Info 2017-09-18 2017-09-28
4.0
None Remote Low ??? Partial None None
In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.
34 CVE-2017-12156 79 XSS 2017-09-18 2017-09-21
4.3
None Remote Medium Not required None Partial None
Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
35 CVE-2017-7532 269 2017-07-17 2019-10-03
4.0
None Remote Low ??? None Partial None
In Moodle 3.x, course creators are able to change system default settings for courses.
36 CVE-2017-7531 200 +Info 2017-07-17 2020-12-01
4.0
None Remote Low ??? Partial None None
In Moodle 3.3, the course overview block reveals activities in hidden courses.
37 CVE-2017-7491 352 CSRF 2017-05-15 2017-05-23
4.3
None Remote Medium Not required None Partial None
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
38 CVE-2017-2645 79 XSS 2017-03-26 2017-07-12
4.3
None Remote Medium Not required None Partial None
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
39 CVE-2017-2644 79 XSS 2017-03-26 2017-07-12
4.3
None Remote Medium Not required None Partial None
In Moodle 3.x, XSS can occur via evidence of prior learning.
40 CVE-2017-2642 200 +Info 2017-07-17 2017-07-19
4.0
None Remote Low ??? Partial None None
Moodle 3.x has user fullname disclosure on the user preferences page.
41 CVE-2017-2578 79 XSS 2017-01-20 2017-01-25
4.3
None Remote Medium Not required None Partial None
In Moodle 3.x, there is XSS in the assignment submission page.
42 CVE-2016-9188 79 XSS 2016-11-04 2016-11-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.
43 CVE-2016-8643 284 2017-01-20 2020-12-01
4.0
None Remote Low ??? None Partial None
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
44 CVE-2016-3733 284 2017-04-20 2020-12-01
4.0
None Remote Low ??? None Partial None
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.
45 CVE-2016-3732 200 +Info 2017-04-20 2020-12-01
4.0
None Remote Low ??? Partial None None
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.
46 CVE-2016-3729 284 2017-04-20 2020-12-01
4.0
None Remote Low ??? None Partial None
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.
47 CVE-2016-2159 284 Bypass 2016-05-22 2020-12-01
4.0
None Remote Low ??? None Partial None
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.
48 CVE-2016-2158 200 +Info 2016-05-22 2020-12-01
4.0
None Remote Low ??? Partial None None
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
49 CVE-2016-2156 200 +Info 2016-05-22 2020-12-01
4.0
None Remote Low ??? Partial None None
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
50 CVE-2016-2155 264 2016-05-22 2020-12-01
4.0
None Remote Low ??? None Partial None
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.
Total number of vulnerabilities : 196   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.