Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.
Max CVSS
8.8
EPSS Score
0.09%
Published
2016-02-22
Updated
2020-12-01
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to hijack the authentication of administrators for requests that manage Assignment plugins.
Max CVSS
8.8
EPSS Score
0.16%
Published
2016-05-22
Updated
2020-12-01
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.
Max CVSS
8.8
EPSS Score
0.24%
Published
2017-04-20
Updated
2020-12-01
Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
Max CVSS
8.8
EPSS Score
0.41%
Published
2016-11-04
Updated
2016-11-29
Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.
Max CVSS
8.8
EPSS Score
0.41%
Published
2016-11-04
Updated
2016-11-29
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
Max CVSS
8.8
EPSS Score
88.27%
Published
2018-05-25
Updated
2020-08-24
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
Max CVSS
8.8
EPSS Score
5.39%
Published
2018-09-17
Updated
2019-10-09
moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.
Max CVSS
8.8
EPSS Score
0.21%
Published
2018-09-17
Updated
2019-10-09
A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.
Max CVSS
8.8
EPSS Score
0.98%
Published
2018-11-26
Updated
2019-10-09
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
Max CVSS
8.8
EPSS Score
0.09%
Published
2019-03-26
Updated
2020-10-16
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
Max CVSS
8.8
EPSS Score
0.41%
Published
2019-07-31
Updated
2023-02-02
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
Max CVSS
8.8
EPSS Score
0.36%
Published
2020-05-21
Updated
2020-05-22

CVE-2020-14321

Public exploit
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Max CVSS
8.8
EPSS Score
11.13%
Published
2022-08-16
Updated
2022-12-08
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.
Max CVSS
8.8
EPSS Score
0.10%
Published
2020-12-08
Updated
2022-10-21
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2021-11-22
Updated
2022-12-21
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-01-25
Updated
2022-12-21
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
Max CVSS
8.8
EPSS Score
0.09%
Published
2022-03-25
Updated
2022-03-30
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.07%
Published
2022-10-06
Updated
2022-12-21
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
Max CVSS
8.8
EPSS Score
0.17%
Published
2023-11-09
Updated
2023-11-16
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
Max CVSS
8.8
EPSS Score
0.07%
Published
2023-03-23
Updated
2023-03-30
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-03-23
Updated
2023-03-28
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.
Max CVSS
8.2
EPSS Score
0.65%
Published
2019-11-14
Updated
2019-11-22
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
Max CVSS
8.2
EPSS Score
0.23%
Published
2023-02-17
Updated
2023-02-28
A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.
Max CVSS
8.1
EPSS Score
0.50%
Published
2018-04-04
Updated
2019-10-09
27 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!