Bitnami/moodle — 225 CVEs

Loading…

All known vulnerabilities

CRITICAL9.8CVE-2024-33999moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

>= 4.3.0, < 4.3.4

CRITICAL9.8CVE-2023-28333Moodle: pix helper potential mustache code injection risk

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

CRITICAL9.8CVE-2021-36392Moodle SQL Injection vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle SQL Injection vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle Session Fixation vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle remote code execution

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

CRITICAL9.8Moodle Minor SQL injection risk in admin user browsing

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

CRITICAL9.8Moodle PostScript Code Injection

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

CRITICAL9.8Incorrect Calculation in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

CRITICAL9.8SQL injection in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

CRITICAL9.8SQL injection in Moodle

>= 3.11.0, < 3.11.5

CRITICAL9.8Moodle vulnerable to RCE via unsafe deserialization

>= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

CRITICAL9.1Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library

from 0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5

CRITICAL9.1Moodle command execution vulnerability exists in the default legacy spellchecker plugin

>= 3.10.0, < 3.10.1

HIGH8.8Moodle: moodle: remote code execution via insufficient restore input validation

from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms equella repository

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8Moodle: csrf risk in brickfield tool's analysis request action

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms dropbox repository

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8moodle: logout CSRF in admin/tool/mfa/auth.php

>= 4.3.0, < 4.3.4

HIGH8.8moodle: CSRF risk in analytics management of models

>= 4.0.0, < 4.3.4

HIGH8.8Msa-24-0005: csrf risk in language import utility

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

HIGH8.8Moodle: authenticated remote code execution risk in imscp

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

HIGH8.8Moodle: csrf risk in resetting all templates of a database activity

>= 4.1.0, < 4.1.1, >= 4.1.1, < 4.1.2

HIGH8.8Moodle: authenticated sql injection via availability check

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

HIGH8.8Moodle Cross-Site Request Forgery (CSRF)

>= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3

HIGH8.8Moodle Incorrect Authorization vulnerability

>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1

HIGH8.8Moodle contains CSRF vulnerability

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

HIGH8.8Moodle incorrect access control

>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

HIGH8.8Moodle vulnerable to RCE

>= 3.5.0, < 3.5.12, >= 3.6.0, < 3.6.10, >= 3.7.0, < 3.7.6, >= 3.8.0, < 3.8.3

HIGH8.8SQL Injection in Moodle

>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6

HIGH8.8Cross Site Request Forgery in Moodle

from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5

HIGH8.6Arbitrary file read risk through pdfTeX

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.4moodle: CSRF risk in admin preset tool management of presets

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

HIGH8.3Stored XSS risk in admin live log

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.3Reflected XSS via question bank filter

>= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.2Moodle: possible to set the preferred "start page" of other users

>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

HIGH8.1Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH8.1SQL injection risk in course search module list filter

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.1Moodle: csrf risk in feedback non-respondents report

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH8.1Moodle: remote code execution via calculated question types

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.7Moodle: cache poisoning via injection into storage

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.5Moodle: password brute force risk when mobile/web services enabled

>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

HIGH7.5Moodle: unauthenticated rest api user data exposure

>= 4.5.0, < 4.5.3

HIGH7.5Moodle: idor when deleting oauth2 linked accounts

from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3

HIGH7.5Moodle: idor in badges allows deletion of arbitrary badges

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: idor in feedback non-respondents report allows messaging arbitrary site users

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: arbitrary file read risk through pdftex

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: lfi vulnerability when restoring malformed block backups

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5moodle: HTTP authorization header is preserved between "emulated redirects"

from 0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

HIGH7.5moodle: ReCAPTCHA can be bypassed on the login page

>= 4.3.0, < 4.3.4

HIGH7.5In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of den…

>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1

HIGH7.5Msa-24-0001: denial of service risk in file picker unzip functionality

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

HIGH7.5Moodle: ssrf risk due to insufficient check on the curl blocked hosts

from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

HIGH7.5Moodle vulnerable to Server-Side Request Forgery

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

HIGH7.5Moodle vulnerable to Uncontrolled Resource Consumption

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

HIGH7.5Moodle Arbitrary file read when importing lesson questions

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

HIGH7.5Moodle Denial of Service

>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

HIGH7.5Moodle denial-of-service risk in the draft files area

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

HIGH7.5Privilage Escalation in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

HIGH7.5Improper Access Control in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

HIGH7.3Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.3Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses

>= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.3Moodle: minor sql injection risk in external wiki method for listing pages

>= 3.9.0, < 3.9.21, >= 3.11.0, < 3.11.14, >= 4.0.0, < 4.0.8, >= 4.1.0, < 4.1.3

HIGH7.2Moodle: moodle: improper input sanitization in tex filter administration setting

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

HIGH7.2Moodle: moodle: improper validation in file restore functionality leading to remote code execution

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

HIGH7.2Moodle: site administration sql injection via xmldb editor

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.2In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2

HIGH7.2Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration

from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1

HIGH7.2Moodle Blind SQL injection possible via MNet authentication

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

HIGH7.1Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action

>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH7.1Moodle Stored Cross-site Scripting and page denial of service

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

MEDIUM6.5Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

MEDIUM6.5Feedback response viewing and deletions did not respect Separate Groups mode

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

MEDIUM6.5Moodle: unprotected access to sensitive information via dynamic tables

from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3

MEDIUM6.5Moodle: idor in edit/delete rss feed

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM6.5Moodle: some users can delete audiences of other reports

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM6.5moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5Inadequate access control vulnerability in Moodle

from 0, < 4.3.4

MEDIUM6.5Moodle: rce due to lfi risk in some misconfigured shared hosting environments

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.5Moodle: authenticated arbitrary file read through malformed backup file

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.5Moodle type juggling vulnerability

from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM6.5Cross-Site Request Forgery in Moodle

from 0, < 3.7.2

MEDIUM6.5SQL Injection in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

MEDIUM6.3Moodle: minor sql injection risk on mnet sso access control page

from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

MEDIUM6.2moodle: broken access control when setting calendar event type

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.1Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

MEDIUM6.1moodle: stored XSS via calendar's event title when deleting the event

>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM6.1moodle: stored XSS risk when editing another user's equation in equation editor

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.1Cross site scripting in moodle

>= 3.10.9, < 4.1.10

MEDIUM6.1Moodle: xss risk when previewing data in course upload tool

>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.1Moodle: xss risk when using csv grade import method

>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.1Moodle: xss risk on groups page

>= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

MEDIUM6.1Moodle: xss risk when outputting database activity filter data

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.1Moodle: algebra filter xss when filter is misconfigured

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.1Moodle: reflected xss risk in blog search

>= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

MEDIUM6.1Moodle: reflected xss risk in some returnurl parameters

>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

pkg:Bitnami/moodle

✅ Check your installed version

All known vulnerabilities