An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
Max CVSS
7.5
EPSS Score
0.06%
Published
2023-06-22
Updated
2023-06-30
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.
Max CVSS
7.3
EPSS Score
0.13%
Published
2023-05-02
Updated
2023-05-11
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-03-23
Updated
2023-03-28
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
Max CVSS
9.8
EPSS Score
0.37%
Published
2023-03-23
Updated
2023-03-31
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
Max CVSS
8.8
EPSS Score
0.07%
Published
2023-03-23
Updated
2023-03-30
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
Max CVSS
8.2
EPSS Score
0.23%
Published
2023-02-17
Updated
2023-02-28
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
Max CVSS
9.8
EPSS Score
0.32%
Published
2023-11-09
Updated
2023-11-17
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
Max CVSS
9.1
EPSS Score
0.20%
Published
2022-11-25
Updated
2023-02-01
A limited SQL injection risk was identified in the "browse list of users" site administration page.
Max CVSS
9.8
EPSS Score
0.15%
Published
2022-09-30
Updated
2022-12-21
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
Max CVSS
9.8
EPSS Score
0.50%
Published
2022-09-30
Updated
2022-12-21
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
Max CVSS
7.1
EPSS Score
0.09%
Published
2022-09-30
Updated
2022-12-21
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
Max CVSS
7.5
EPSS Score
0.29%
Published
2022-07-25
Updated
2022-12-21
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Max CVSS
9.8
EPSS Score
2.88%
Published
2022-07-25
Updated
2022-12-21
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
Max CVSS
9.8
EPSS Score
0.29%
Published
2022-05-18
Updated
2022-12-21
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
Max CVSS
9.8
EPSS Score
0.32%
Published
2022-05-18
Updated
2022-12-21
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-10-06
Updated
2022-12-21
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
Max CVSS
8.8
EPSS Score
0.09%
Published
2022-03-25
Updated
2022-03-30
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-01-25
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
Max CVSS
9.8
EPSS Score
0.24%
Published
2022-01-25
Updated
2022-02-01
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2021-11-22
Updated
2022-12-21
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
Max CVSS
7.5
EPSS Score
0.06%
Published
2023-03-06
Updated
2023-03-13
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
Max CVSS
7.5
EPSS Score
0.08%
Published
2023-03-06
Updated
2023-03-13
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
Max CVSS
9.8
EPSS Score
0.44%
Published
2023-03-06
Updated
2023-03-13
91 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!