SQL injection vulnerability in sql.php in the Glossary module in Moodle 1.4.1 and earlier allows remote attackers to modify SQL statements.
Max CVSS
7.5
EPSS Score
1.51%
Published
2004-12-31
Updated
2020-12-01
Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php.
Max CVSS
7.5
EPSS Score
1.11%
Published
2005-11-17
Updated
2017-07-11
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
Max CVSS
7.5
EPSS Score
7.49%
Published
2006-01-09
Updated
2018-10-19
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.
Max CVSS
7.5
EPSS Score
2.66%
Published
2006-01-09
Updated
2018-10-19
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls _adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php), which does not convert the data type to an int.
Max CVSS
7.5
EPSS Score
0.68%
Published
2006-09-14
Updated
2018-10-17
Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php.
Max CVSS
7.5
EPSS Score
1.08%
Published
2007-03-13
Updated
2018-10-16
Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.
Max CVSS
7.8
EPSS Score
2.68%
Published
2007-03-24
Updated
2017-10-11
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt.
Max CVSS
7.5
EPSS Score
0.14%
Published
2009-02-13
Updated
2018-11-08
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random password salt in config.php, which makes it easier for attackers to conduct brute-force password guessing attacks.
Max CVSS
7.5
EPSS Score
0.52%
Published
2009-12-16
Updated
2020-12-01
Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php.
Max CVSS
7.5
EPSS Score
0.21%
Published
2010-04-29
Updated
2020-12-01
lib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 does not properly handle multiple instances of a form element, which has unspecified impact and remote attack vectors.
Max CVSS
7.5
EPSS Score
0.32%
Published
2012-07-17
Updated
2023-02-13
Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to
Max CVSS
7.5
EPSS Score
0.72%
Published
2019-11-14
Updated
2019-11-22
Moodle before 2.2.2 has users' private files included in course backups
Max CVSS
7.5
EPSS Score
0.27%
Published
2019-11-14
Updated
2019-11-22
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
Max CVSS
7.5
EPSS Score
0.25%
Published
2019-11-14
Updated
2019-11-15
Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.
Max CVSS
7.5
EPSS Score
0.12%
Published
2013-09-16
Updated
2020-12-01
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.
Max CVSS
7.5
EPSS Score
0.45%
Published
2013-09-16
Updated
2020-12-01
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.
Max CVSS
7.5
EPSS Score
4.53%
Published
2014-07-29
Updated
2020-12-01
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.
Max CVSS
7.5
EPSS Score
0.75%
Published
2014-11-24
Updated
2020-12-01
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.
Max CVSS
7.4
EPSS Score
0.30%
Published
2016-02-22
Updated
2020-12-01
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
Max CVSS
7.5
EPSS Score
0.34%
Published
2016-02-22
Updated
2020-12-01
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
Max CVSS
7.1
EPSS Score
0.21%
Published
2016-02-22
Updated
2020-12-01
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
Max CVSS
7.3
EPSS Score
0.09%
Published
2017-01-20
Updated
2020-12-01
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields.
Max CVSS
7.5
EPSS Score
0.24%
Published
2016-10-28
Updated
2024-03-21
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
Max CVSS
7.5
EPSS Score
0.24%
Published
2018-07-10
Updated
2020-10-23
Moodle 3.5.x before 3.5.4 allows SSRF.
Max CVSS
7.5
EPSS Score
0.10%
Published
2019-03-21
Updated
2019-03-22
40 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!