Bitnami/moodle — 225 CVEs

Loading…

All known vulnerabilities

CRITICAL9.8CVE-2024-33999moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

>= 4.3.0, < 4.3.4

CRITICAL9.8CVE-2023-28333Moodle: pix helper potential mustache code injection risk

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

CRITICAL9.8Moodle SQL Injection vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle Session Fixation vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle SQL Injection vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

CRITICAL9.8Moodle Minor SQL injection risk in admin user browsing

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

CRITICAL9.8Moodle remote code execution

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

CRITICAL9.8Moodle PostScript Code Injection

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

CRITICAL9.8Incorrect Calculation in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

CRITICAL9.8SQL injection in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

CRITICAL9.8SQL injection in Moodle

>= 3.11.0, < 3.11.5

CRITICAL9.8Moodle vulnerable to RCE via unsafe deserialization

>= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

CRITICAL9.1Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library

from 0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5

CRITICAL9.1Moodle command execution vulnerability exists in the default legacy spellchecker plugin

>= 3.10.0, < 3.10.1

HIGH8.8Moodle: moodle: remote code execution via insufficient restore input validation

from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms dropbox repository

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms equella repository

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8Moodle: csrf risk in brickfield tool's analysis request action

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH8.8moodle: CSRF risk in analytics management of models

>= 4.0.0, < 4.3.4

HIGH8.8moodle: logout CSRF in admin/tool/mfa/auth.php

>= 4.3.0, < 4.3.4

HIGH8.8Msa-24-0005: csrf risk in language import utility

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

HIGH8.8Moodle: authenticated remote code execution risk in imscp

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

HIGH8.8Moodle: csrf risk in resetting all templates of a database activity

>= 4.1.0, < 4.1.1, >= 4.1.1, < 4.1.2

HIGH8.8Moodle: authenticated sql injection via availability check

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

HIGH8.8Moodle Cross-Site Request Forgery (CSRF)

>= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3

HIGH8.8Moodle Incorrect Authorization vulnerability

>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1

HIGH8.8Moodle contains CSRF vulnerability

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

HIGH8.8Moodle incorrect access control

>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

HIGH8.8Moodle vulnerable to RCE

>= 3.5.0, < 3.5.12, >= 3.6.0, < 3.6.10, >= 3.7.0, < 3.7.6, >= 3.8.0, < 3.8.3

HIGH8.8SQL Injection in Moodle

>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6

HIGH8.8Cross Site Request Forgery in Moodle

from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5

HIGH8.6Arbitrary file read risk through pdfTeX

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.4moodle: CSRF risk in admin preset tool management of presets

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

HIGH8.3Stored XSS risk in admin live log

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.3Reflected XSS via question bank filter

>= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.2Moodle: possible to set the preferred "start page" of other users

>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

HIGH8.1Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH8.1SQL injection risk in course search module list filter

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

HIGH8.1Moodle: csrf risk in feedback non-respondents report

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH8.1Moodle: remote code execution via calculated question types

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.7Moodle: cache poisoning via injection into storage

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.5Moodle: password brute force risk when mobile/web services enabled

>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

HIGH7.5Moodle: unauthenticated rest api user data exposure

>= 4.5.0, < 4.5.3

HIGH7.5Moodle: idor when deleting oauth2 linked accounts

from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3

HIGH7.5Moodle: idor in badges allows deletion of arbitrary badges

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: idor in feedback non-respondents report allows messaging arbitrary site users

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: arbitrary file read risk through pdftex

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5Moodle: lfi vulnerability when restoring malformed block backups

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.5moodle: HTTP authorization header is preserved between "emulated redirects"

from 0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

HIGH7.5moodle: ReCAPTCHA can be bypassed on the login page

>= 4.3.0, < 4.3.4

HIGH7.5In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of den…

>= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1

HIGH7.5Msa-24-0001: denial of service risk in file picker unzip functionality

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

HIGH7.5Moodle: ssrf risk due to insufficient check on the curl blocked hosts

from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

HIGH7.5Moodle vulnerable to Server-Side Request Forgery

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

HIGH7.5Moodle vulnerable to Uncontrolled Resource Consumption

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

HIGH7.5Moodle Arbitrary file read when importing lesson questions

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

HIGH7.5Moodle Denial of Service

>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

HIGH7.5Moodle denial-of-service risk in the draft files area

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

HIGH7.5Privilage Escalation in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

HIGH7.5Improper Access Control in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

HIGH7.3Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.3Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses

>= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

HIGH7.3Moodle: minor sql injection risk in external wiki method for listing pages

>= 3.9.0, < 3.9.21, >= 3.11.0, < 3.11.14, >= 4.0.0, < 4.0.8, >= 4.1.0, < 4.1.3

HIGH7.2Moodle: moodle: improper input sanitization in tex filter administration setting

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

HIGH7.2Moodle: moodle: improper validation in file restore functionality leading to remote code execution

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

HIGH7.2Moodle: site administration sql injection via xmldb editor

>= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

HIGH7.2In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2

HIGH7.2Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration

from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1

HIGH7.2Moodle Blind SQL injection possible via MNet authentication

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

HIGH7.1Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action

>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

HIGH7.1Moodle Stored Cross-site Scripting and page denial of service

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

MEDIUM6.5Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

MEDIUM6.5Feedback response viewing and deletions did not respect Separate Groups mode

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

MEDIUM6.5Moodle: unprotected access to sensitive information via dynamic tables

from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3

MEDIUM6.5Moodle: some users can delete audiences of other reports

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM6.5Moodle: idor in edit/delete rss feed

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM6.5moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.5Inadequate access control vulnerability in Moodle

from 0, < 4.3.4

MEDIUM6.5Moodle: rce due to lfi risk in some misconfigured shared hosting environments

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.5Moodle: authenticated arbitrary file read through malformed backup file

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.5Moodle type juggling vulnerability

from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM6.5Cross-Site Request Forgery in Moodle

from 0, < 3.7.2

MEDIUM6.5SQL Injection in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

MEDIUM6.3Moodle: minor sql injection risk on mnet sso access control page

from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

MEDIUM6.2moodle: broken access control when setting calendar event type

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.1Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

MEDIUM6.1moodle: stored XSS via calendar's event title when deleting the event

>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM6.1moodle: stored XSS risk when editing another user's equation in equation editor

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM6.1Cross site scripting in moodle

>= 3.10.9, < 4.1.10

MEDIUM6.1Moodle: xss risk when previewing data in course upload tool

>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.1Moodle: xss risk when using csv grade import method

>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM6.1Moodle: xss risk on groups page

>= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1

MEDIUM6.1Moodle: xss risk when outputting database activity filter data

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.1Moodle: algebra filter xss when filter is misconfigured

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM6.1Moodle: reflected xss risk in some returnurl parameters

>= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

MEDIUM6.1Moodle: reflected xss risk in blog search

>= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1

MEDIUM6.1Moodle reflected cross-site scripting vulnerability in policy tool

>= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5

MEDIUM6.1Moodle reflected XSS Vulnerability

>= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1

MEDIUM6.1Moodle LTI module reflected XSS risk

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.1, >= 4.0.1, < 4.0.2

MEDIUM6.1Moodle Open redirect risk in mobile auto-login feature

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

MEDIUM6.1Moodle Stored XSS and blind SSRF possible via SCORM track details

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2

MEDIUM6.1Moodle Cross-site Scripting (XSS)

>= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

MEDIUM6.1Moodle stored Cross-site Scripting (XSS)

>= 3.9.0, < 3.9.2

MEDIUM6.1Moodle reflected XSS

from 0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

MEDIUM6.1Cross-site Scripting in moodle

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

MEDIUM6.1Cross site-scripting (XSS) moodle

>= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2

MEDIUM6.1Cross-site Scripting (XSS) in moodle

>= 3.9.0, < 3.9.3

MEDIUM5.9moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM5.5Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name paramete…

>= 3.10.0, < 4.1.10

MEDIUM5.4Moodle: moodle: privilege escalation via incomplete role checks in badge awarding

from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

MEDIUM5.4Mooodle: mooodle: information disclosure and script execution via reflected cross-site scripting

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

MEDIUM5.4Moodle: possible to bypass timer in timed assignments

>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM5.4Moodle: reflected xss risk in policy tool

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM5.4Moodle: lesson activity password bypass through php loose comparison

from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3

MEDIUM5.4Moodle: reflected xss via h5p error message

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.4Moodle: xss risk when restoring malicious course backup file

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.4moodle: CSRF risks due to misuse of confirm_sesskey

from 0, < 4.1.10, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM5.4moodle: stored XSS via user's name on participants page when opening some options

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM5.4Cross-site Scripting in Moodle Chat

>= 4.3.3, < 4.3.4

MEDIUM5.4Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher.

>= 4.3.0, < 4.3.1

MEDIUM5.4Moodle: stored xss and potential idor risk in wiki comments

>= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM5.4Moodle: stored xss in quiz grading report via user id number

>= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM5.4Moodle vulnerable to stored Cross-site Scripting

>= 3.10.1, < 3.10.2

MEDIUM5.4Moodle Cross-site Scripting vulnerability

>= 3.11.0, < 3.11.1

MEDIUM5.4Moodle Cross-site Scripting vulnerability

>= 3.11.0, < 3.11.1

MEDIUM5.4Moodle stored-XSS vulnerability in some "social" user profile fields

>= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5

MEDIUM5.4Cross-Site Request Forgery in Moodle

>= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5

MEDIUM5.4Moodle Cross-site Scripting vulnerability

>= 3.9.7, < 3.9.8, >= 3.10.4, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM5.4Moodle XSS Vulnerability

>= 3.8.0, < 3.8.1

MEDIUM5.4Moodle Cross Site Scripting (XSS)

>= 3.10.3, < 3.10.4

MEDIUM5.4Moodle contains Stored XSS via ID number user profile field

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2

MEDIUM5.4Moodle Cross-site Scripting

from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1

MEDIUM5.4Moodle Vulnerable to Reflected Cross-site Scripting

from 0, < 3.10.1

MEDIUM5.4Cross-site Scripting in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

MEDIUM5.4Moodle stored Cross-site Scripting

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

MEDIUM5.4Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2

MEDIUM5.3Moodle: router produces json instead of 404 error for invalid course id

>= 5.0.0, < 5.0.3

MEDIUM5.3Moodle: router (r.php) could expose application directories

>= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM5.3Moodle: possible to bypass mfa

>= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM5.3Moodle: hidden grades shown to users without permission on some grade reports

from 0, < 4.1.17, >= 4.3.0, < 4.3.11, >= 4.4.0, < 4.4.7, >= 4.5.0, < 4.5.3

MEDIUM5.3Non-searchable tags can still be discovered on the tag search page and in the tags block

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

MEDIUM5.3Moodle: can create global glossary without being admin

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.3Moodle: matrix user/power level management not always working as expected with suspended users

>= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.3Moodle: authorization headers preserved between "emulated redirects"

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.3Moodle: user information visibility control issues in gradebook reports

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

MEDIUM5.3Moodle: lack of access control when using external methods for quiz overrides

>= 4.4.0, < 4.4.2

MEDIUM5.3In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote addr…

>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2

MEDIUM5.3Msa-24-0003: h5p attempts report did not respect activity group settings

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

MEDIUM5.3Msa-24-0006: idor on dashboard comments block

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

MEDIUM5.3Msa-24-0002: forum search accepted random parameters in its url

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

MEDIUM5.3Msa-24-0004: forum export did not respect activity group settings

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3

MEDIUM5.3Moodle: auto-populated h5p author name causes a potential information leak

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM5.3Moodle: cache poisoning risk with endpoint revision numbers

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM5.3Moodle: insufficient capability checks when updating the parent of a course category

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM5.3Moodle: tinymce loaders susceptible to arbitrary folder creation

>= 4.1.0, < 4.1.3

MEDIUM5.3Moodle has Incorrect Default Permissions

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM5.3Moodle has a Hidden Functionality vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM5.3Moodle Improper Input Validation vulnerability

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM5.3Moodle has Incorrect Default Permissions

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM5.3Moodle Insecure direct object reference (IDOR) in a calendar web service

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4

MEDIUM5.3Moodle Bypass email verification secret when confirming account registration

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2

MEDIUM5.3Moodle Client side denial of service via personal message

>= 3.5.0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1

MEDIUM5.3External Control of Assumed-Immutable Web Parameter in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

MEDIUM5.3Moodle Information Disclosure vulnerability

from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

MEDIUM5.3Exposure of Sensitive Information to an Unauthorized Actor in Moodle

>= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

MEDIUM5.3Moodle allowed some users without permission to view other users' full names

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2

MEDIUM5.3Privilage Escalation in moodle

>= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3

MEDIUM4.9Moodle Improper Encoding or Escaping of Output

from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM4.8Moodle vulnerable to Stored Cross-site Scripting

from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1

MEDIUM4.7Moodle: authenticated remote code execution risk in lesson

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

MEDIUM4.3Moodle: moodle: data exposure of user identifiers in urls

from 0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

MEDIUM4.3Moodle: external cohort search service leaks system cohort data

>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM4.3Moodle: hidden group names visible to event creators

>= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM4.3Moodle: course access permissions not properly checked in course_output_fragment_course_overview

>= 5.0.0, < 5.0.3

MEDIUM4.3Moodle: quiz notifications sent to suspended participants

>= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3

MEDIUM4.3Moodle: idor when accessing the cohorts report

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: idor in web service allows users enrolled in a course to access some details of other users

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: ajax section delete does not respect course_can_delete_section()

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: idor in moodle rss block allows unauthorized access to rss feeds

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: idor in messaging web service allows access to some user details

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: partial data exposure in moodle before completing multi-factor authentication

>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: moodle assignment submission search leaks anonymous student identities

>= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: moodle allows course self-enrolment before completing mfa

>= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

MEDIUM4.3Moodle: idor when accessing list of course badges

>= 4.4.0, < 4.4.4

MEDIUM4.3Moodle: idor when fetching report schedules

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM4.3Moodle: users' names returned in messaging error message

from 0, < 4.1.19, >= 4.2.0, < 4.4.9

MEDIUM4.3Moodle: idor when accessing list of badge recipients

>= 4.4.0, < 4.4.4

MEDIUM4.3moodle: BigBlueButton web service leaks meeting joining information to users who should not have access

>= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1

MEDIUM4.3moodle: unsanitized HTML in site log for config_log_created

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM4.3moodle: stored XSS in lesson overview report via user ID number

from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4

MEDIUM4.3In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not…

>= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2

MEDIUM4.3Moodle: students can view other users in "only see own membership" groups

>= 4.2.2, < 4.2.3

MEDIUM4.3Moodle may allow students to bypass sequential navigation during a quiz attempt

>= 3.9.0, < 3.9.16, >= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3

MEDIUM4.3Moodle: course participation report shows roles the user should not see

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM4.3Moodle: users' name enumeration possible via idor on learning plans page

>= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM4.3Moodle: teacher can access names of users they do not have permission to access

>= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2

MEDIUM4.3Moodle No groups filtering in H5P activity attempts report

>= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4

MEDIUM4.3Moodle Incorrect Authorization

>= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM4.3Moodle Improper Authentication

from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor

>= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3

MEDIUM4.3Missing permission check in Moodle

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2

MEDIUM4.3Moodle Grade information disclosure in grade's external fetch functions

from 0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1

MEDIUM4.3Exposure of Sensitive Information in moodle

>= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1

MEDIUM4.3Improper Authentication in moodle

from 0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6

MEDIUM4.3Missing authorization in Moodle

>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6

MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor

>= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4

MEDIUM4.3Moodle Exposure of Sensitive Information to an Unauthorized Actor

>= 3.10.0, < 3.10.4

MEDIUM4.3Insufficient user authorization in Moodle

from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5

MEDIUM4.2Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter

>= 3.0.0, < 4.1.10

LOW3.8Insufficient user authorization in Moodle

from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5

LOW3.7Moodle: admin presets export tool includes some secrets that should not be exported

from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2

LOW3.5Moodle: moodle: open redirect vulnerability in oauth login flow allows redirection to malicious sites.

from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1

LOW3.5Moodle: csrf risk in moodle user tours manager allows tour duplication

from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

LOW3.4Stored XSS in ddimageortext question type

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

LOW3.3Moodle: duplicating a bigbluebutton activity assigns the same meeting id

>= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

LOW3.3Moodle: forum summary report shows students from other groups when in separate groups mode

from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3

LOW3.1Moodle: csrf token exposure via url in moodle mod_data module

from 0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4

LOW3.1Teachers can evade trusttext config when restoring glossary entries

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

LOW3.1IDOR in badges allows disabling of arbitrary badges

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2

—Moodle LMS 4.0 Cross-Site Scripting via course search.php

from 0, <= 4.0.0

—Moodle 3.10.3 - 'label' Persistent Cross Site Scripting

>= 3.10.3, <= 3.10.3

pkg:Bitnami/moodle

✅ Check your installed version

All known vulnerabilities