The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-03-23
Updated
2023-03-28
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
Max CVSS
9.8
EPSS Score
0.75%
Published
2023-03-23
Updated
2023-03-31
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
Max CVSS
8.8
EPSS Score
0.11%
Published
2023-03-23
Updated
2023-03-30
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
Max CVSS
8.2
EPSS Score
0.23%
Published
2023-02-17
Updated
2023-02-28
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
Max CVSS
9.8
EPSS Score
0.32%
Published
2023-11-09
Updated
2023-11-17
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
Max CVSS
9.1
EPSS Score
0.20%
Published
2022-11-25
Updated
2023-02-01
A limited SQL injection risk was identified in the "browse list of users" site administration page.
Max CVSS
9.8
EPSS Score
0.15%
Published
2022-09-30
Updated
2022-12-21
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
Max CVSS
9.8
EPSS Score
0.50%
Published
2022-09-30
Updated
2022-12-21
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Max CVSS
9.8
EPSS Score
2.88%
Published
2022-07-25
Updated
2022-12-21
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
Max CVSS
9.8
EPSS Score
0.29%
Published
2022-05-18
Updated
2022-12-21
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
Max CVSS
9.8
EPSS Score
0.32%
Published
2022-05-18
Updated
2022-12-21
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-10-06
Updated
2022-12-21
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
Max CVSS
8.8
EPSS Score
0.09%
Published
2022-03-25
Updated
2022-03-30
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-01-25
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
Max CVSS
9.8
EPSS Score
0.24%
Published
2022-01-25
Updated
2022-02-01
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2021-11-22
Updated
2022-12-21
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
Max CVSS
9.8
EPSS Score
0.44%
Published
2023-03-06
Updated
2023-03-13
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
Max CVSS
9.8
EPSS Score
0.12%
Published
2023-03-06
Updated
2023-03-13
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
Max CVSS
9.8
EPSS Score
0.12%
Published
2023-03-06
Updated
2023-03-13

CVE-2021-21809

Public exploit
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
Max CVSS
9.1
EPSS Score
2.41%
Published
2021-06-23
Updated
2022-08-24
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
Max CVSS
9.8
EPSS Score
0.71%
Published
2021-11-22
Updated
2022-12-21
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
Max CVSS
8.8
EPSS Score
0.10%
Published
2020-12-08
Updated
2022-10-21

CVE-2020-14321

Public exploit
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Max CVSS
8.8
EPSS Score
11.13%
Published
2022-08-16
Updated
2022-12-08
51 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!