| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. |
| In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. |
| In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. |
| The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator. |
| In Moodle 3.x, glossary search displays entries without checking user permissions to view them. |
| In Moodle 2.x and 3.x, the question engine allows access to files that should not be available. |
| In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. |
| In Moodle 2.x and 3.x, SQL injection can occur via user preferences. |
| In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. |
| In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. |
| In Moodle 3.x, XSS can occur via evidence of prior learning. |
| In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. |
| In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
| In Moodle 3.x, course creators are able to change system default settings for courses. |
| In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access. |
| In Moodle 3.2.x, global search displays user names for unauthenticated users. |
| In Moodle 3.x, there is XSS in the assignment submission page. |
| The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. |
| In Moodle 3.3, the course overview block reveals activities in hidden courses. |
| Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task. |
