CRITICAL10.0CVE-2019-3809Moodle Blind SSRF Risk in /badges/mybackpack.php >= 3.1, < 3.1.16
CRITICAL9.8CVE-2024-33999moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php >= 4.3.0, < 4.3.4
CRITICAL9.8CVE-2023-28333Moodle: pix helper potential mustache code injection risk >= 4.1.0, < 4.1.2
CRITICAL9.8Moodle SQL Injection vulnerability
>= 3.11.0-beta, < 3.11.1
CRITICAL9.8Moodle SQL Injection vulnerability
>= 3.11.0-beta, < 3.11.1
CRITICAL9.8Moodle Session Fixation vulnerability
>= 3.11.0-beta, < 3.11.1
CRITICAL9.8Moodle Minor SQL injection risk in admin user browsing
>= 3.9, < 3.9.17
CRITICAL9.8Moodle remote code execution
from 0, < 3.9.17
CRITICAL9.8Moodle PostScript Code Injection
>= 3.9, < 3.9.15
CRITICAL9.8Incorrect Calculation in moodle
>= 4.0, < 4.0.1
CRITICAL9.8SQL injection in moodle
>= 4.0, < 4.0.1
CRITICAL9.8Moodle SQL injection via user preferences
>= 2.7, < 2.7.19
CRITICAL9.8SQL injection in Moodle
>= 3.11, < 3.11.5
CRITICAL9.8Moodle vulnerable to RCE via unsafe deserialization
>= 3.11, < 3.11.4
CRITICAL9.1Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library
>= 3.9, < 3.9.18
CRITICAL9.1Moodle command execution vulnerability exists in the default legacy spellchecker plugin
CRITICAL9.1Moodle Oauth 2 Insufficiently Protects Against Compromise
>= 3.7.0, < 3.7.3
HIGH8.8Moodle: moodle: remote code execution via insufficient restore input validation
>= 5.1.0-beta, < 5.1.1
HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms dropbox repository
from 0, < 4.1.18
HIGH8.8Moodle: csrf risk in brickfield tool's analysis request action
from 0, < 4.1.18
HIGH8.8Moodle: authenticated remote code execution risk in the moodle lms equella repository
from 0, < 4.1.18
HIGH8.8moodle: logout CSRF in admin/tool/mfa/auth.php
>= 4.3.0, < 4.3.4
HIGH8.8moodle: CSRF risk in analytics management of models
>= 4.3.0, < 4.3.4
HIGH8.8Msa-24-0005: csrf risk in language import utility
>= 4.3.0, < 4.3.3
HIGH8.8Moodle: authenticated remote code execution risk in imscp
from 0, < 4.3.0-rc2
HIGH8.8Moodle: authenticated sql injection via availability check
>= 4.1.0, < 4.1.2
HIGH8.8Moodle: csrf risk in resetting all templates of a database activity
>= 4.1.0, < 4.1.2
HIGH8.8Moodle Cross-Site Request Forgery (CSRF)
>= 3.11, < 3.11.9
HIGH8.8Moodle Incorrect Authorization vulnerability
>= 3.9.0-beta, < 3.9.1
HIGH8.8Moodle contains CSRF vulnerability
>= 3.11, < 3.11.4
HIGH8.8Moodle incorrect access control
>= 3.9, < 3.9.2
HIGH8.8Moodle vulnerable to RCE
>= 3.8, < 3.8.3
HIGH8.8Moodle CSRF Vulnerability
>= 3.7.0, < 3.7.1
HIGH8.8Moodle Unrestricted file upload vulnerability
>= 2.0.1, <= 3.2.1
HIGH8.8Moodle XML import of ddwtos could lead to intentional remote code execution
>= 3.5.0, < 3.5.2
HIGH8.8Moodle Login CSRF vulnerability in login form
>= 3.1, < 3.1.15
HIGH8.8Moodle calculated question type allows remote code execution by Question authors
>= 3.1, < 3.1.12
HIGH8.8Moodle Users could elevate their role when accessing the LTI tool on a provider site
from 0, < 3.4.8
HIGH8.8Moodle multiple cross-site request forgery (CSRF) vulnerabilities
from 0, < 2.7.11
HIGH8.8Moodle cross-site request forgery (CSRF) vulnerability
from 0, < 2.7.13
HIGH8.8Moodle Cross-site request forgery (CSRF) vulnerability
from 0, < 2.7.14
HIGH8.8SQL Injection in Moodle
>= 3.11.0, < 3.11.6
HIGH8.8Cross Site Request Forgery in Moodle
>= 3.11, < 3.11.5
HIGH8.6Arbitrary file read risk through pdfTeX
>= 4.5.0-beta, < 4.5.2
HIGH8.4moodle: CSRF risk in admin preset tool management of presets
>= 4.3.0, < 4.3.4
HIGH8.3Reflected XSS via question bank filter
>= 4.5.0-beta, < 4.5.2
HIGH8.3Stored XSS risk in admin live log
>= 4.5.0-beta, < 4.5.2
HIGH8.2Moodle: possible to set the preferred "start page" of other users
from 0, < 3.9.19
HIGH8.1Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.
from 0, < 4.1.22
HIGH8.1SQL injection risk in course search module list filter
>= 4.5.0-beta, < 4.5.2
HIGH8.1Moodle: csrf risk in feedback non-respondents report
from 0, < 4.1.12
HIGH8.1Moodle: remote code execution via calculated question types
from 0, < 4.1.12
HIGH8.1Moodle Portfolio script allows instantiation of class chosen by user
>= 3.1, < 3.1.12
HIGH8.1Moodle Improper Authentication
>= 3.3, < 3.3.5
HIGH7.7Moodle: cache poisoning via injection into storage
from 0, < 4.1.12
HIGH7.5Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service
from 0, < 4.1.22
HIGH7.5Moodle: password brute force risk when mobile/web services enabled
>= 5.0.0-beta, < 5.0.3
HIGH7.5Moodle: unauthenticated rest api user data exposure
>= 4.5.0-beta, < 4.5.3
HIGH7.5Moodle: idor when deleting oauth2 linked accounts
from 0, < 4.1.13
HIGH7.5Moodle: lfi vulnerability when restoring malformed block backups
from 0, < 4.1.12
HIGH7.5Moodle: idor in feedback non-respondents report allows messaging arbitrary site users
from 0, < 4.1.12
HIGH7.5Moodle: idor in badges allows deletion of arbitrary badges
from 0, < 4.1.12
HIGH7.5Moodle: arbitrary file read risk through pdftex
from 0, < 4.1.12
HIGH7.5moodle: HTTP authorization header is preserved between "emulated redirects"
>= 4.4.0-beta, < 4.4.1
HIGH7.5moodle: ReCAPTCHA can be bypassed on the login page
>= 4.3.0, < 4.3.4
HIGH7.5Msa-24-0001: denial of service risk in file picker unzip functionality
>= 4.3.0, < 4.3.3
HIGH7.5Moodle: ssrf risk due to insufficient check on the curl blocked hosts
>= 4.2.0, < 4.2.1
HIGH7.5Moodle vulnerable to Uncontrolled Resource Consumption
>= 3.11.0-beta, < 3.11.1
HIGH7.5Moodle vulnerable to Server-Side Request Forgery
>= 3.11.0-beta, < 3.11.1
HIGH7.5Moodle Arbitrary file read when importing lesson questions
>= 3.9, < 3.9.15
HIGH7.5Moodle Denial of Service
>= 3.9, < 3.9.2
HIGH7.5Moodle all messaging conversations could be viewed
>= 3.6, < 3.6.4
HIGH7.5Moodle SSRF Vulnerability
>= 3.5.0, < 3.5.4
HIGH7.5Moodle uses predictable password-recovery tokens
from 0, < 2.7.10
HIGH7.5Moodle backs up private files
>= 2.2, < 2.2.2
HIGH7.5Moodle denial-of-service risk in the draft files area
>= 3.10, < 3.10.4
HIGH7.5Privilage Escalation in moodle
>= 3.9.0, < 3.9.3
HIGH7.5Improper Access Control in moodle
>= 3.9.0, < 3.9.3
HIGH7.4Moodle open redirect vulnerability
>= 2.7.0, < 2.7.9
HIGH7.3Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor
from 0, < 4.1.22
HIGH7.3Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses
from 0, < 4.1.22
HIGH7.3Moodle: minor sql injection risk in external wiki method for listing pages
from 0, < 4.2.0-rc2
HIGH7.3Moodle XSS Vulnerability
>= 3.5.0, < 3.5.1
HIGH7.3Moodle Weak Password Recovery Mechanism for Forgotten Password
>= 2.7, < 2.7.16
HIGH7.2Moodle: moodle: improper validation in file restore functionality leading to remote code execution
>= 5.1.0-beta, < 5.1.2
HIGH7.2Moodle: site administration sql injection via xmldb editor
from 0, < 4.1.12
HIGH7.2Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration
>= 3.5, < 3.5.16
HIGH7.2Moodle Blind SQL injection possible via MNet authentication
>= 3.10, < 3.10.4
HIGH7.1Moodle Stored Cross-site Scripting and page denial of service
>= 3.9, < 3.9.17
MEDIUM6.8Moodle allows attackers to obtain manager privileges
>= 2.7.0, < 2.7.10
MEDIUM6.5Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service
>= 5.1.0-beta, < 5.1.2
MEDIUM6.5Feedback response viewing and deletions did not respect Separate Groups mode
>= 4.5.0-beta, < 4.5.2
MEDIUM6.5Moodle: unprotected access to sensitive information via dynamic tables
from 0, < 4.1.13
MEDIUM6.5Moodle: idor in edit/delete rss feed
from 0, < 4.1.14
MEDIUM6.5Moodle: some users can delete audiences of other reports
from 0, < 4.1.14
MEDIUM6.5moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
>= 4.4.0-beta, < 4.4.1
MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup
>= 4.3.0, < 4.3.4
MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
>= 4.3.0, < 4.3.4
MEDIUM6.5moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
>= 4.3.0, < 4.3.4
MEDIUM6.5Inadequate access control vulnerability in Moodle
from 0, <= 4.2.0