Latest moodle moodle Vulnerabilities

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to...
Moodle Moodle=4.3.0
Rce due to lfi risk in some misconfigured shared hosting environments
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle<3.9.24
and 12 more
Insufficient capability checks when updating the parent of a course category
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle<3.9.24
and 7 more
Cache poisoning risk with endpoint revision numbers
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle<3.9.24
and 7 more
The course upload preview contained an XSS risk for users uploading unsafe data.
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle>=3.9.0<3.9.24
and 9 more
Stored xss in quiz grading report via user id number
redhat/moodle<4.2.3
redhat/4.1.6 and<4.0.11
composer/moodle/moodle<4.3.0-rc2
Moodle Moodle>=4.0.0<4.0.11
Moodle Moodle>=4.1.0<4.1.6
Moodle Moodle>=4.2.0<4.2.3
and 4 more
Auto-populated h5p author name causes a potential information leak
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle<3.9.24
and 7 more
Stored xss and potential idor risk in wiki comments
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
composer/moodle/moodle<4.3.0-rc2
and 9 more
Moodle: duplicating a bigbluebutton activity assigns the same meeting id
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
Moodle Moodle>=4.0.0<4.0.11
Moodle Moodle>=4.1.0<4.1.6
Moodle Moodle>=4.2.0<4.2.3
and 2 more
Students can view other users in "only see own membership" groups
redhat/moodle<4.2.3
Moodle Moodle=4.2.2
Fedoraproject Extra Packages For Enterprise Linux=7.0
Fedoraproject Fedora=38
composer/moodle/moodle<4.3.0-rc2
Authenticated remote code execution risk in imscp
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
Moodle Moodle<3.9.24
and 7 more
Authenticated remote code execution risk in lesson
redhat/moodle<4.2.3
redhat/moodle<4.1.6
redhat/moodle<4.0.11
redhat/moodle<3.11.17
redhat/moodle<3.9.24
composer/moodle/moodle<4.3.0-rc2
and 7 more
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3....
Moodle Moodle<3.9.22
Moodle Moodle>=3.11.0<3.11.15
Moodle Moodle>=4.0.0<4.0.9
Moodle Moodle>=4.1.0<4.1.4
Moodle Moodle=4.2.0
composer/moodle/moodle<3.9.22
and 4 more
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupport...
Moodle Moodle<3.9.22
Moodle Moodle>=3.11.0<3.11.15
Moodle Moodle>=4.0.0<4.0.9
Moodle Moodle>=4.1.0<4.1.4
Moodle Moodle=4.2.0
composer/moodle/moodle<3.9.22
and 4 more
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.
Moodle Moodle>=3.11.0<3.11.15
Moodle Moodle>=4.0.0<4.0.9
Moodle Moodle>=4.1.0<4.1.4
Moodle Moodle=4.2.0
composer/moodle/moodle<3.11.15
composer/moodle/moodle>=4.0.0<4.0.9
and 2 more
** DISPUTED ** Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in ...
Moodle Moodle=3.10.1
composer/moodle/moodle<=3.10.1
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request...
Moodle Moodle>=3.9.0<3.9.21
Moodle Moodle>=3.11.0<3.11.14
Moodle Moodle>=4.0.0<4.0.8
Moodle Moodle>=4.1.0<4.1.3
Fedoraproject Extra Packages For Enterprise Linux=7.0
Fedoraproject Fedora=36
and 7 more
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request...
Moodle Moodle>=4.1.0<4.1.3
Fedoraproject Extra Packages For Enterprise Linux=7.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Fedoraproject Fedora=38
redhat/moodle<4.1.3
and 1 more
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
Moodle Moodle>3.9.0<3.9.16
Moodle Moodle>3.11.0<3.11.9
Moodle Moodle>4.0.0<4.0.3
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
Authenticated users were able to enumerate other users' names via the learning plans page.
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=4.0.0
Moodle Moodle=4.1.0
Moodle Moodle=4.1.1
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
Moodle Moodle=4.1.0
Moodle Moodle=4.1.1
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 2 more
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 3 more
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 3 more
If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 2 more
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 2 more
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 2 more
The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.
Moodle Moodle>3.9.0<3.9.20
Moodle Moodle>3.11.0<3.11.13
Moodle Moodle>4.0.0<4.0.7
Moodle Moodle=3.9.0
Moodle Moodle=3.11.0
Moodle Moodle=4.0.0
and 2 more
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
Moodle Moodle=3.11.0
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
Moodle Moodle=3.11.0
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
Moodle Moodle<3.9.8
Moodle Moodle>=3.10.0<3.10.5
Moodle Moodle>=3.11.0<3.11.1
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a r...
Moodle Moodle>=3.9.0<3.9.19
Moodle Moodle>=3.11.0<3.11.12
Moodle Moodle>=4.0.0<4.0.6
Moodle Moodle=4.1.0
redhat/moodle<4.1.1
redhat/moodle<4.0.6
and 2 more
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and exe...
Moodle Moodle>=4.0.0<4.0.6
Moodle Moodle=4.1.0
redhat/moodle<4.1.1
redhat/moodle<4.0.6
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafte...
Moodle Moodle>=3.9.0<3.9.19
Moodle Moodle>=3.11.0<3.11.12
Moodle Moodle>=4.0.0<4.0.6
Moodle Moodle=4.1.0
redhat/moodle<4.1.1
redhat/moodle<4.0.6
and 2 more
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being ...
Moodle Moodle>=3.9.0<3.9.18
Moodle Moodle>=3.11.0<3.11.11
Moodle Moodle>=4.0.0<4.0.5
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
and 3 more
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to ope...
Moodle Moodle>=3.9.0<3.9.18
Moodle Moodle>=3.11.0<3.11.11
Moodle Moodle>=4.0.0<4.0.5
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
and 3 more
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utili...
Moodle Moodle<3.9.18
Moodle Moodle>=3.11.0<3.11.11
Moodle Moodle>=4.0.0<4.0.5
Fedoraproject Extra Packages For Enterprise Linux=7.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
and 4 more
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute ...
Moodle Moodle>=3.11.0<3.11.11
Moodle Moodle>=4.0.0<4.0.5
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Fedoraproject Fedora=37
redhat/moodle<4.0.5
and 1 more
Severity/Risk: Minor Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions Versions fixed: 4.0.4, 3.11.10 and 3.9.17 Reported by: Jari Vilkman and Bjørn T...
Moodle Moodle>=3.9.0<3.9.17
Moodle Moodle>=3.11.0<3.11.10
Moodle Moodle>=4.0.0<4.0.4
Fedoraproject Extra Packages For Enterprise Linux=8.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Severity/Risk: Minor Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions Versions fixed: 4.0.4, 3.11.10 and 3.9.17 Reported by: Vincent CVE identifier: ...
Moodle Moodle>=3.9.0<3.9.17
Moodle Moodle>=3.11.0<3.11.10
Moodle Moodle>=4.0.0<4.0.4
Fedoraproject Extra Packages For Enterprise Linux=8.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Severity/Risk: Serious Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions Versions fixed: 4.0.4, 3.11.10 and 3.9.17 Reported by: Paul Holden CVE identi...
Moodle Moodle>=3.9<3.9.17
Moodle Moodle>=3.11<3.11.10
Moodle Moodle>=4.0<4.0.4

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203