>= 4.3.0, < 4.3.4
CRITICAL9.8CVE-2023-28333Moodle's Mustache pix helper contained a potential Mustache injection risk if combined with user input >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
CRITICAL9.8Moodle SQL Injection vulnerability
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
CRITICAL9.8Moodle Session Fixation vulnerability
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
CRITICAL9.8Moodle SQL Injection vulnerability
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
CRITICAL9.8Moodle Minor SQL injection risk in admin user browsing
>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
CRITICAL9.8Moodle remote code execution
>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
CRITICAL9.8Moodle PostScript Code Injection
>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
CRITICAL9.8Incorrect Calculation in moodle
>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
CRITICAL9.8SQL injection in moodle
>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
CRITICAL9.8SQL injection in Moodle
>= 3.11.0, < 3.11.5
CRITICAL9.8Moodle vulnerable to RCE via unsafe deserialization
>= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
CRITICAL9.1Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library
from 0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
CRITICAL9.1Moodle command execution vulnerability exists in the default legacy spellchecker plugin
>= 3.10.0, < 3.10.1
HIGH8.8Moodle affected by a code injection vulnerability
from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
HIGH8.8Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
HIGH8.8Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
HIGH8.8Moodle has a CSRF risk in Brickfield tool's analysis request action
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
HIGH8.8Moodle CSRF risk in analytics management of models
>= 4.0.0, < 4.3.4
HIGH8.8Moodle Logout CSRF in admin/tool/mfa/auth.php
>= 4.3.0, < 4.3.4
HIGH8.8Cross-Site Request Forgery in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
HIGH8.8Moodle Code Injection vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
HIGH8.8Moodle vulnerable to Cross-site Request Forgery
>= 4.1.0, < 4.1.1, >= 4.1.1, < 4.1.2
HIGH8.8Moodle SQL Injection vulnerability
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
HIGH8.8Moodle Cross-Site Request Forgery (CSRF)
>= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3
HIGH8.8Moodle Incorrect Authorization vulnerability
>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
HIGH8.8Moodle contains CSRF vulnerability
from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
HIGH8.8Moodle incorrect access control
>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
HIGH8.8Moodle vulnerable to RCE
>= 3.5.0, < 3.5.12, >= 3.6.0, < 3.6.10, >= 3.7.0, < 3.7.6, >= 3.8.0, < 3.8.3
HIGH8.8SQL Injection in Moodle
>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
HIGH8.8Cross Site Request Forgery in Moodle
from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
HIGH8.6Moodle has an arbitrary file read risk through pdfTeX
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
HIGH8.4Moodle CSRF risk in admin preset tool management of presets
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
HIGH8.3Moodle has a stored XSS risk in admin live log
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
HIGH8.3Moodle allows reflected XSS via question bank filter
>= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
HIGH8.2Moodle Improper Access Control vulnerability
>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
HIGH8.1Moodle authentication bypass vulnerability
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
HIGH8.1Moodle has a SQL injection risk in course search module list filter
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
HIGH8.1Moodle has CSRF risk in Feedback non-respondents report
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH8.1Moodle Remote Code Execution vulnerability
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.7Moodle vulnerable to cache poisoning via injection into storage
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.5Moodle Affected by Improper Restriction of Excessive Authentication Attempts
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
HIGH7.5Moodle vulnerable to brute-force password guesses
>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
HIGH7.5Moodle allows unauthenticated REST API user data exposure
>= 4.5.0, < 4.5.3
HIGH7.5Moodle IDOR when deleting OAuth2 linked accounts
from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
HIGH7.5Moodle's IDOR in badges allows deletion of arbitrary badges
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.5Moodle's IDOR in Feedback non-respondents report allows messaging arbitrary site users
>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.5Moodle has arbitrary file read risk through pdfTeX
>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.5Moodle LFI vulnerability when restoring malformed block backups
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.5Moodle HTTP authorization header is preserved between "emulated redirects"
from 0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
HIGH7.5Moodle ReCAPTCHA can be bypassed on the login page
>= 4.3.0, < 4.3.4
HIGH7.5In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of den…
>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
HIGH7.5Uncontrolled Resource Consumption in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
HIGH7.5Moodle vulnerable to Server Side Request Forgery
from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
HIGH7.5Moodle vulnerable to Server-Side Request Forgery
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
HIGH7.5Moodle vulnerable to Uncontrolled Resource Consumption
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
HIGH7.5Moodle Arbitrary file read when importing lesson questions
>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
HIGH7.5Moodle Denial of Service
>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
HIGH7.5Moodle denial-of-service risk in the draft files area
from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
HIGH7.5Privilage Escalation in moodle
>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
HIGH7.5Improper Access Control in moodle
>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
HIGH7.3Moodle vulnerable to Cross-site Scripting
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
HIGH7.3Moodle Cross-site Scripting (XSS) vulnerability
>= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
HIGH7.3Moodle SQL Injection vulnerability
>= 3.9.0, < 3.9.21, >= 3.11.0, < 3.11.14, >= 4.0.0, < 4.0.8, >= 4.1.0, < 4.1.3
HIGH7.2Moodle: moodle: improper input sanitization in tex filter administration setting
from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
HIGH7.2Moodle has a Remote Code Execution risk via file restore
from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
HIGH7.2Moodle vulnerable to site administration SQL injection via XMLDB editor
>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
HIGH7.2In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
HIGH7.2Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration
from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
HIGH7.2Moodle Blind SQL injection possible via MNet authentication
from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
HIGH7.1Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action
>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
HIGH7.1Moodle Stored Cross-site Scripting and page denial of service
>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
MEDIUM6.5Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits
from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
MEDIUM6.5Moodle's feedback response viewing and deletions did not respect Separate Groups mode
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
MEDIUM6.5Moodle allows users to retrieve information they did not have permission to access
from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
MEDIUM6.5moodle: Some users can delete audiences of other reports
from 0, < 4.1.19, >= 4.2.0, < 4.4.9
MEDIUM6.5moodle: IDOR in edit/delete RSS feed
from 0, < 4.1.19, >= 4.2.0, < 4.4.9
MEDIUM6.5Moodle uses the same key for QR login and auto-login
>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
MEDIUM6.5Moodle Authenticated LFI risk in some misconfigured shared hosting environments
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM6.5Moodle Authenticated LFI risk in some misconfigured shared hosting environments
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM6.5Moodle Authenticated LFI risk in some misconfigured shared hosting environments
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM6.5Moodle Improper Access Control vulnerability
from 0, < 4.3.4
MEDIUM6.5Moodle Code Injection vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM6.5Moodle arbitrary file read vulnerability
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM6.5Moodle type juggling vulnerability
from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
MEDIUM6.5Cross-Site Request Forgery in Moodle
from 0, < 3.7.2
MEDIUM6.5SQL Injection in moodle
>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
MEDIUM6.3Moodle vulnerable to SQL Injection
from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
MEDIUM6.2Moodle broken access control when setting calendar event type
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM6.1Moodle formula injection vulnerability
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
MEDIUM6.1Moodle stored XSS via calendar's event title when deleting the event
>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
MEDIUM6.1Moodle stored Cross-site Scripting (XSS)
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM6.1Cross site scripting in moodle
>= 3.10.9, < 4.1.10
MEDIUM6.1Moodle Cross-site Scripting vulnerability
>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM6.1Moodle Cross-site Scripting vulnerability
>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM6.1Moodle vulnerable to Cross-site Scripting
>= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
MEDIUM6.1Moodle vulnerable to Cross-site Scripting
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM6.1Moodle vulnerable to Cross-site Scripting when algebra filter enabled but not functional
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM6.1Moodle Cross-site Scripting vulnerability
>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
MEDIUM6.1Moodle Cross-site Scripting vulnerability
>= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
MEDIUM6.1Moodle reflected cross-site scripting vulnerability in policy tool
>= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
MEDIUM6.1Moodle reflected XSS Vulnerability
>= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
MEDIUM6.1Moodle LTI module reflected XSS risk
>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.1, >= 4.0.1, < 4.0.2
MEDIUM6.1Moodle Open redirect risk in mobile auto-login feature
>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
MEDIUM6.1Moodle Stored XSS and blind SSRF possible via SCORM track details
>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
MEDIUM6.1Moodle Cross-site Scripting (XSS)
>= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
MEDIUM6.1Moodle stored Cross-site Scripting (XSS)
>= 3.9.0, < 3.9.2
MEDIUM6.1Moodle reflected XSS
from 0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
MEDIUM6.1Cross-site Scripting in moodle
from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
MEDIUM6.1Cross site-scripting (XSS) moodle
>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
MEDIUM6.1Cross-site Scripting (XSS) in moodle
>= 3.9.0, < 3.9.3
MEDIUM5.9Moodle Authenticated LFI risk in some misconfigured shared hosting environments
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM5.5Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name paramete…
>= 3.10.0, < 4.1.10
MEDIUM5.4Moodle has an authorization logic flaw
from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
MEDIUM5.4Moodle vulnerable to Cross-site Scripting
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
MEDIUM5.4Moodle has a time restriction bypass
>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM5.4Moodle has reflected Cross-site Scripting risk in policy tool
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM5.4Moodle Lesson activity password bypass through PHP loose comparison
from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
MEDIUM5.4Moodle reflected XSS via H5P error message
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.4Moodle Cross-site Scripting vulnerability
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.4Moodle CSRF risks due to misuse of confirm_sesskey
from 0, < 4.1.10, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
MEDIUM5.4Moodle Cross-site Scripting (XSS)
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM5.4Cross-site Scripting in Moodle Chat
>= 4.3.3, < 4.3.4
MEDIUM5.4Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher.
>= 4.3.0, < 4.3.1
MEDIUM5.4Moodle Cross-site Scripting vulnerability
>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM5.4Moodle Cross-site Scripting vulnerability
>= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM5.4Moodle vulnerable to stored Cross-site Scripting
>= 3.10.1, < 3.10.2
MEDIUM5.4Moodle Cross-site Scripting vulnerability
>= 3.11.0, < 3.11.1
MEDIUM5.4Moodle Cross-site Scripting vulnerability
>= 3.11.0, < 3.11.1
MEDIUM5.4Moodle stored-XSS vulnerability in some "social" user profile fields
>= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
MEDIUM5.4Cross-Site Request Forgery in Moodle
>= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
MEDIUM5.4Moodle Cross-site Scripting vulnerability
>= 3.9.7, < 3.9.8, >= 3.10.4, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM5.4Moodle XSS Vulnerability
>= 3.8.0, < 3.8.1
MEDIUM5.4Moodle Cross Site Scripting (XSS)
>= 3.10.3, < 3.10.4
MEDIUM5.4Moodle contains Stored XSS via ID number user profile field
>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
MEDIUM5.4Moodle Cross-site Scripting
from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
MEDIUM5.4Moodle Vulnerable to Reflected Cross-site Scripting
from 0, < 3.10.1
MEDIUM5.4Cross-site Scripting in moodle
>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
MEDIUM5.4Moodle stored Cross-site Scripting
from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
MEDIUM5.4Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle
>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
MEDIUM5.3Moodle: router produces json instead of 404 error for invalid course id
>= 5.0.0, < 5.0.3
MEDIUM5.3Moodle's error handling leads to sensitive information disclosure
>= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM5.3Moodle does not properly enforce MFA
>= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM5.3Moodle shows hidden grades to users without permission on some grade reports
from 0, < 4.1.17, >= 4.3.0, < 4.3.11, >= 4.4.0, < 4.4.7, >= 4.5.0, < 4.5.3
MEDIUM5.3Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
MEDIUM5.3Moodle has insufficient capability checks
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.3Moodle's user/power level management inconsistent with suspended users
>= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.3Moodle authorization headers preserved between "emulated redirects"
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.3Moodle has user information visibility control issues in gradebook reports
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
MEDIUM5.3Moodle has insufficient access control
>= 4.4.0, < 4.4.2
MEDIUM5.3In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote addr…
>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
MEDIUM5.3Improper Access Control in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
MEDIUM5.3Authorization Bypass in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
MEDIUM5.3Improper Handling of Parameters in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
MEDIUM5.3Improper Access Control in moodle
from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
MEDIUM5.3Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM5.3Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM5.3Moodle Improper Access Control vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM5.3Moodle External Control of File Name or Path vulnerability
>= 4.1.0, < 4.1.3
MEDIUM5.3Moodle has Incorrect Default Permissions
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM5.3Moodle has a Hidden Functionality vulnerability
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM5.3Moodle Improper Input Validation vulnerability
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM5.3Moodle has Incorrect Default Permissions
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM5.3Moodle Insecure direct object reference (IDOR) in a calendar web service
from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
MEDIUM5.3Moodle Bypass email verification secret when confirming account registration
>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
MEDIUM5.3Moodle Client side denial of service via personal message
>= 3.5.0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
MEDIUM5.3External Control of Assumed-Immutable Web Parameter in moodle
>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
MEDIUM5.3Moodle Information Disclosure vulnerability
from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
MEDIUM5.3Exposure of Sensitive Information to an Unauthorized Actor in Moodle
>= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
MEDIUM5.3Moodle allowed some users without permission to view other users' full names
>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
MEDIUM5.3Privilage Escalation in moodle
>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
MEDIUM4.9Moodle Improper Encoding or Escaping of Output
from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
MEDIUM4.8Moodle vulnerable to Stored Cross-site Scripting
from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
MEDIUM4.7Moodle Code Injection vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
MEDIUM4.3Moodle Inserts Sensitive Information Into Sent Data
from 0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
MEDIUM4.3Moodle: external cohort search service leaks system cohort data
>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM4.3Moodle exposed the names of hidden groups to users
>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM4.3Moodle course access permissions are not properly checked in course_output_fragment_course_overview
>= 5.0.0, < 5.0.3
MEDIUM4.3Moodle sends quiz-related messages to inactive/suspended users
>= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
MEDIUM4.3Moodle allows IDOR when accessing the cohorts report
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle's AJAX section delete does not respect course_can_delete_section()
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle allows IDOR in RSS block, which allows access to additional RSS feeds
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle has an IDOR in messaging web service which allows access to some user details
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle makes some user data available before completing second factor with MFA enabled
>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle reveals student identities through assignment submissions search on anonymous submissions
>= 4.5.0, < 4.5.4
MEDIUM4.3Moodle self enrollment available before completing second factor with MFA enabled
>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
MEDIUM4.3Moodle IDOR when accessing list of course badges
>= 4.4.0, < 4.4.4
MEDIUM4.3moodle: IDOR when fetching report schedules
from 0, < 4.1.19, >= 4.2.0, < 4.4.9
MEDIUM4.3Moodle leaks user names
from 0, < 4.1.19, >= 4.2.0, < 4.4.9
MEDIUM4.3Moodle IDOR when accessing list of badge recipients
>= 4.4.0, < 4.4.4
MEDIUM4.3Moodle BigBlueButton web service leaks meeting joining information
>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
MEDIUM4.3Moodle Unsanitized HTML in site log for config_log_created
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM4.3Moodle Cross-site Scripting (XSS)
from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
MEDIUM4.3In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not…
>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
MEDIUM4.3Moodle Improper Access Control vulnerability
>= 4.2.2, < 4.2.3
MEDIUM4.3Moodle may allow students to bypass sequential navigation during a quiz attempt
>= 3.9.0, < 3.9.16, >= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3
MEDIUM4.3Moodle may display roles to users who don't have access to them
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM4.3Moodle may allow authenticated users to enumerate other user's names via learning plans page
>= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM4.3Moodle may allow teachers to access the names of users they could not otherwise access
>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
MEDIUM4.3Moodle No groups filtering in H5P activity attempts report
>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
MEDIUM4.3Moodle Incorrect Authorization
>= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
MEDIUM4.3Moodle Improper Authentication
from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor
>= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
MEDIUM4.3Missing permission check in Moodle
>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
MEDIUM4.3Moodle Grade information disclosure in grade's external fetch functions
from 0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
MEDIUM4.3Exposure of Sensitive Information in moodle
>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
MEDIUM4.3Improper Authentication in moodle
from 0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
MEDIUM4.3Missing authorization in Moodle
>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor
>= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor
>= 3.10.0, < 3.10.4
MEDIUM4.3Insufficient user authorization in Moodle
from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
MEDIUM4.2Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter
>= 3.0.0, < 4.1.10
LOW3.8Insufficient user authorization in Moodle
from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
LOW3.7Moodle admin presets export tool includes some secrets that should not be exported
from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
LOW3.5Moodle Open Redirect vulnerability
from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
LOW3.5Moodle has a CSRF risk in user tours manager that allows tour duplication
from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
LOW3.4Moodle has a stored XSS in ddimageortext question type
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
LOW3.3Moodle: duplicating a bigbluebutton activity assigns the same meeting id
>= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
LOW3.3Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability
from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
LOW3.1Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
from 0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
LOW3.1Moodle allows teachers to evade trusttext config when restoring glossary entries
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
LOW3.1Moodle has an IDOR in badges allows disabling of arbitrary badges
>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
—Moodle LMS 4.0 Cross-Site Scripting via course search.php
from 0, <= 4.0.0
—Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
>= 3.10.3, <= 3.10.3