Filtered by vendor Moodle
Subscriptions
Total
634 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-2643 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 3.2.x, global search displays user names for unauthenticated users. | ||||
| CVE-2017-7531 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 3.3, the course overview block reveals activities in hidden courses. | ||||
| CVE-2017-2578 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 3.x, there is XSS in the assignment submission page. | ||||
| CVE-2017-7532 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 3.x, course creators are able to change system default settings for courses. | ||||
| CVE-2017-7491 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. | ||||
| CVE-2017-2642 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| Moodle 3.x has user fullname disclosure on the user preferences page. | ||||
| CVE-2016-8644 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. | ||||
| CVE-2016-7038 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. | ||||
| CVE-2016-3734 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | ||||
| CVE-2017-7489 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. | ||||
| CVE-2016-3733 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. | ||||
| CVE-2016-5013 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | ||||
| CVE-2017-2641 | 1 Moodle | 1 Moodle | 2025-04-20 | N/A |
| In Moodle 2.x and 3.x, SQL injection can occur via user preferences. | ||||
| CVE-2014-3553 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. | ||||
| CVE-2014-3549 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.x before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted username that is improperly handled during the logging of an invalid login attempt. | ||||
| CVE-2014-3542 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||||
| CVE-2014-3546 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. | ||||
| CVE-2014-2572 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| mod/assign/externallib.php in Moodle 2.6.x before 2.6.2 does not properly handle assignment web-service parameters, which might allow remote authenticated users to modify grade metadata via unspecified vectors. | ||||
| CVE-2016-2156 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request. | ||||
| CVE-2016-2155 | 1 Moodle | 1 Moodle | 2025-04-12 | N/A |
| The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role. | ||||