| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-3617 |
264 |
|
Bypass |
2014-09-15 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. |
|
2 |
CVE-2014-2571 |
79 |
|
XSS |
2014-03-24 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question. |
|
3 |
CVE-2014-0218 |
79 |
|
XSS |
2014-05-27 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
4 |
CVE-2014-0216 |
264 |
|
+Info |
2014-05-27 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
|
5 |
CVE-2014-0215 |
200 |
|
+Info |
2014-05-27 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. |
|
6 |
CVE-2014-0214 |
287 |
|
|
2014-05-27 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack. |
|
7 |
CVE-2014-0213 |
352 |
|
CSRF |
2014-05-27 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests. |
|
8 |
CVE-2014-0129 |
264 |
|
|
2014-03-24 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issued, which allows remote authenticated users to modify the visibility of an arbitrary badge via unspecified vectors. |
|
9 |
CVE-2014-0127 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time. |
|
10 |
CVE-2014-0126 |
352 |
|
CSRF |
2014-03-24 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file. |
|
11 |
CVE-2014-0125 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. |
|
12 |
CVE-2014-0124 |
264 |
|
+Info |
2014-03-24 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module. |
|
13 |
CVE-2014-0123 |
264 |
|
|
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1) view and (2) edit access, which allows remote authenticated users to perform wiki operations by leveraging the student role and using the Recent Activity block to reach the individual wiki of an arbitrary student. |
|
14 |
CVE-2014-0122 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator. |
|
15 |
CVE-2014-0010 |
352 |
|
CSRF |
2014-01-20 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields. |
|
16 |
CVE-2014-0009 |
264 |
|
|
2014-01-20 |
2020-12-01 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. |
|
17 |
CVE-2013-7341 |
79 |
|
XSS |
2014-03-24 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342. |
|
18 |
CVE-2013-4942 |
79 |
|
XSS |
2013-07-29 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |
|
19 |
CVE-2013-4941 |
79 |
|
XSS |
2013-07-29 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |
|
20 |
CVE-2013-4940 |
79 |
|
XSS |
2013-07-29 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression. |
|
21 |
CVE-2013-4939 |
79 |
|
XSS |
2013-07-29 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |
|
22 |
CVE-2013-4938 |
264 |
|
+Info |
2013-07-29 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values. |
|
23 |
CVE-2013-4525 |
79 |
|
XSS |
2013-11-26 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via an answer to a text-based quiz question. |
|
24 |
CVE-2013-4524 |
22 |
|
Dir. Trav. |
2013-11-26 |
2020-12-01 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path. |
|
25 |
CVE-2013-4523 |
79 |
|
XSS |
2013-11-26 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted message. |
|
26 |
CVE-2013-4522 |
200 |
|
+Info |
2013-11-26 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server. |
|
27 |
CVE-2013-3630 |
94 |
|
|
2013-11-01 |
2021-10-12 |
4.6 |
None |
Remote |
High |
??? |
Partial |
Partial |
Partial |
|
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. |
|
28 |
CVE-2013-2246 |
264 |
|
+Info |
2013-07-29 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
mod/feedback/lib.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/feedback:view capability before displaying recent feedback, which allows remote authenticated users to obtain sensitive information via a request for all course feedback that has occurred since a specified time. |
|
29 |
CVE-2013-2245 |
287 |
|
+Info |
2013-07-29 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. |
|
30 |
CVE-2013-2243 |
200 |
|
+Info |
2013-07-29 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. |
|
31 |
CVE-2013-2242 |
264 |
|
Bypass |
2013-07-29 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server. |
|
32 |
CVE-2013-2083 |
20 |
|
Bypass |
2013-05-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. |
|
33 |
CVE-2013-2082 |
264 |
|
+Info |
2013-05-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. |
|
34 |
CVE-2013-2081 |
264 |
|
+Info |
2013-05-25 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. |
|
35 |
CVE-2013-1836 |
264 |
|
|
2013-03-25 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. |
|
36 |
CVE-2013-1835 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. |
|
37 |
CVE-2013-1834 |
264 |
|
|
2013-03-25 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. |
|
38 |
CVE-2013-1833 |
79 |
|
XSS |
2013-03-25 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
|
39 |
CVE-2013-1832 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. |
|
40 |
CVE-2013-1831 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. |
|
41 |
CVE-2013-1830 |
264 |
|
+Info |
2013-03-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. |
|
42 |
CVE-2012-6112 |
264 |
|
|
2013-01-27 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. |
|
43 |
CVE-2012-6105 |
200 |
|
+Info |
2013-01-27 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. |
|
44 |
CVE-2012-6099 |
20 |
|
|
2013-01-27 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. |
|
45 |
CVE-2012-6098 |
264 |
|
|
2013-01-27 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. |
|
46 |
CVE-2012-5480 |
264 |
|
Bypass |
2012-11-21 |
2020-12-01 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. |
|
47 |
CVE-2012-5479 |
264 |
|
|
2012-11-21 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback. |
|
48 |
CVE-2012-5473 |
200 |
|
+Info |
2012-11-21 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. |
|
49 |
CVE-2012-5471 |
264 |
|
|
2012-11-21 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout. |
|
50 |
CVE-2012-4408 |
264 |
|
Bypass |
2012-09-19 |
2020-12-01 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation. |
