pkg:Bitnami/moodle

所有已知漏洞

• CRITICAL9.8CVE-2024-33999moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
  >= 4.3.0, < 4.3.4
• CRITICAL9.8CVE-2023-28333Moodle: pix helper potential mustache code injection risk
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• CRITICAL9.8CVE-2021-36392Moodle SQL Injection vulnerability
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• CRITICAL9.8CVE-2021-36394Moodle Session Fixation vulnerability
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• CRITICAL9.8CVE-2021-36393Moodle SQL Injection vulnerability
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• CRITICAL9.8CVE-2022-40315Moodle Minor SQL injection risk in admin user browsing
  >= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
• CRITICAL9.8CVE-2022-40314Moodle remote code execution
  >= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
• CRITICAL9.8CVE-2022-35649Moodle PostScript Code Injection
  >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
• CRITICAL9.8CVE-2022-30600Incorrect Calculation in moodle
  >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
• CRITICAL9.8CVE-2022-30599SQL injection in moodle
  >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
• CRITICAL9.8CVE-2022-0332SQL injection in Moodle
  >= 3.11.0, < 3.11.5
• CRITICAL9.8CVE-2021-3943Moodle vulnerable to RCE via unsafe deserialization
  >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
• CRITICAL9.1CVE-2022-45152Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library
  from 0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
• CRITICAL9.1CVE-2021-21809Moodle command execution vulnerability exists in the default legacy spellchecker plugin
  >= 3.10.0, < 3.10.1
• HIGH8.8CVE-2025-67847Moodle: moodle: remote code execution via insufficient restore input validation
  from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• HIGH8.8CVE-2025-3641Moodle: authenticated remote code execution risk in the moodle lms dropbox repository
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• HIGH8.8CVE-2025-3642Moodle: authenticated remote code execution risk in the moodle lms equella repository
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• HIGH8.8CVE-2025-3638Moodle: csrf risk in brickfield tool's analysis request action
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• HIGH8.8CVE-2024-34008moodle: CSRF risk in analytics management of models
  >= 4.0.0, < 4.3.4
• HIGH8.8CVE-2024-34007moodle: logout CSRF in admin/tool/mfa/auth.php
  >= 4.3.0, < 4.3.4
• HIGH8.8CVE-2024-25982Msa-24-0005: csrf risk in language import utility
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• HIGH8.8CVE-2023-5540Moodle: authenticated remote code execution risk in imscp
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• HIGH8.8CVE-2023-28335Moodle: csrf risk in resetting all templates of a database activity
  >= 4.1.0, < 4.1.1, >= 4.1.1, < 4.1.2
• HIGH8.8CVE-2023-28329Moodle: authenticated sql injection via availability check
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• HIGH8.8CVE-2022-2986Moodle Cross-Site Request Forgery (CSRF)
  >= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3
• HIGH8.8CVE-2020-14321Moodle Incorrect Authorization vulnerability
  >= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
• HIGH8.8CVE-2021-43559Moodle contains CSRF vulnerability
  from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
• HIGH8.8CVE-2020-25629Moodle incorrect access control
  >= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
• HIGH8.8CVE-2020-10738Moodle vulnerable to RCE
  >= 3.5.0, < 3.5.12, >= 3.6.0, < 3.6.10, >= 3.7.0, < 3.7.6, >= 3.8.0, < 3.8.3
• HIGH8.8CVE-2022-0983SQL Injection in Moodle
  >= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
• HIGH8.8CVE-2022-0335Cross Site Request Forgery in Moodle
  from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
• HIGH8.6CVE-2025-26525Arbitrary file read risk through pdfTeX
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• HIGH8.4CVE-2024-34001moodle: CSRF risk in admin preset tool management of presets
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• HIGH8.3CVE-2025-26529Stored XSS risk in admin live log
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• HIGH8.3CVE-2025-26530Reflected XSS via question bank filter
  >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• HIGH8.2CVE-2023-23923Moodle: possible to set the preferred "start page" of other users
  >= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
• HIGH8.1CVE-2025-67848Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access.
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• HIGH8.1CVE-2025-26533SQL injection risk in course search module list filter
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• HIGH8.1CVE-2024-43434Moodle: csrf risk in feedback non-respondents report
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH8.1CVE-2024-43425Moodle: remote code execution via calculated question types
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.7CVE-2024-43428Moodle: cache poisoning via injection into storage
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.5CVE-2025-67853Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• HIGH7.5CVE-2025-62399Moodle: password brute force risk when mobile/web services enabled
  >= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• HIGH7.5CVE-2025-32044Moodle: unauthenticated rest api user data exposure
  >= 4.5.0, < 4.5.3
• HIGH7.5CVE-2024-45690Moodle: idor when deleting oauth2 linked accounts
  from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
• HIGH7.5CVE-2024-43431Moodle: idor in badges allows deletion of arbitrary badges
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.5CVE-2024-43438Moodle: idor in feedback non-respondents report allows messaging arbitrary site users
  >= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.5CVE-2024-43426Moodle: arbitrary file read risk through pdftex
  >= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.5CVE-2024-43440Moodle: lfi vulnerability when restoring malformed block backups
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.5CVE-2024-38275moodle: HTTP authorization header is preserved between "emulated redirects"
  from 0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
• HIGH7.5CVE-2024-34009moodle: ReCAPTCHA can be bypassed on the login page
  >= 4.3.0, < 4.3.4
• HIGH7.5CVE-2020-14322In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of den…
  >= 3.5.0, < 3.5.13, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
• HIGH7.5CVE-2024-25978Msa-24-0001: denial of service risk in file picker unzip functionality
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• HIGH7.5CVE-2023-35133Moodle: ssrf risk due to insufficient check on the curl blocked hosts
  from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
• HIGH7.5CVE-2021-36396Moodle vulnerable to Server-Side Request Forgery
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• HIGH7.5CVE-2021-36395Moodle vulnerable to Uncontrolled Resource Consumption
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• HIGH7.5CVE-2022-35650Moodle Arbitrary file read when importing lesson questions
  >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
• HIGH7.5CVE-2020-25630Moodle Denial of Service
  >= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
• HIGH7.5CVE-2021-32476Moodle denial-of-service risk in the draft files area
  from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• HIGH7.5CVE-2020-25699Privilage Escalation in moodle
  >= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
• HIGH7.5CVE-2020-25698Improper Access Control in moodle
  >= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
• HIGH7.3CVE-2025-67850Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• HIGH7.3CVE-2025-67849Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses
  >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• HIGH7.3CVE-2023-30944Moodle: minor sql injection risk in external wiki method for listing pages
  >= 3.9.0, < 3.9.21, >= 3.11.0, < 3.11.14, >= 4.0.0, < 4.0.8, >= 4.1.0, < 4.1.3
• HIGH7.2CVE-2026-26046Moodle: moodle: improper input sanitization in tex filter administration setting
  from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
• HIGH7.2CVE-2026-26045Moodle: moodle: improper validation in file restore functionality leading to remote code execution
  from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
• HIGH7.2CVE-2024-43436Moodle: site administration sql injection via xmldb editor
  >= 4.1.0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• HIGH7.2CVE-2020-1756In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
  >= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
• HIGH7.2CVE-2021-20187Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration
  from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
• HIGH7.2CVE-2021-32474Moodle Blind SQL injection possible via MNet authentication
  from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• HIGH7.1CVE-2025-3625Moodle: user dos and name disclosure via idor in moodle mfa email factor revoke action
  >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• HIGH7.1CVE-2022-40313Moodle Stored Cross-site Scripting and page denial of service
  >= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
• MEDIUM6.5CVE-2026-26047Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service
  from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2
• MEDIUM6.5CVE-2025-26526Feedback response viewing and deletions did not respect Separate Groups mode
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• MEDIUM6.5CVE-2024-45689Moodle allows users to retrieve information they did not have permission to access
  from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
• MEDIUM6.5CVE-2024-48898Moodle: some users can delete audiences of other reports
  from 0, < 4.1.19, >= 4.2.0, < 4.4.9
• MEDIUM6.5CVE-2024-48897Moodle: idor in edit/delete rss feed
  from 0, < 4.1.19, >= 4.2.0, < 4.4.9
• MEDIUM6.5CVE-2024-38277moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
  >= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
• MEDIUM6.5CVE-2024-34004moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM6.5CVE-2024-34005moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM6.5CVE-2024-34002moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM6.5CVE-2024-1439Inadequate access control vulnerability in Moodle
  from 0, < 4.3.4
• MEDIUM6.5CVE-2023-5550Moodle: rce due to lfi risk in some misconfigured shared hosting environments
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM6.5CVE-2023-28330Moodle: authenticated arbitrary file read through malformed backup file
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM6.5CVE-2021-40693Moodle type juggling vulnerability
  from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
• MEDIUM6.5CVE-2020-1692Cross-Site Request Forgery in Moodle
  from 0, < 3.7.2
• MEDIUM6.5CVE-2020-25700SQL Injection in moodle
  >= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
• MEDIUM6.3CVE-2023-35132Moodle: minor sql injection risk on mnet sso access control page
  from 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
• MEDIUM6.2CVE-2024-33996moodle: broken access control when setting calendar event type
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM6.1CVE-2025-67851Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• MEDIUM6.1CVE-2024-38274moodle: stored XSS via calendar's event title when deleting the event
  >= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
• MEDIUM6.1CVE-2024-33997moodle: stored XSS risk when editing another user's equation in equation editor
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM6.1CVE-2024-29374Cross site scripting in moodle
  >= 3.10.9, < 4.1.10
• MEDIUM6.1CVE-2023-5547Moodle: xss risk when previewing data in course upload tool
  >= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM6.1CVE-2023-5541Moodle: xss risk when using csv grade import method
  >= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM6.1CVE-2023-35131Moodle: xss risk on groups page
  >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
• MEDIUM6.1CVE-2023-28331Moodle: xss risk when outputting database activity filter data
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM6.1CVE-2023-28332Moodle: algebra filter xss when filter is misconfigured
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM6.1CVE-2023-23921Moodle: reflected xss risk in some returnurl parameters
  >= 3.9.0, < 3.9.19, >= 3.11.0, < 3.11.12, >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
• MEDIUM6.1CVE-2023-23922Moodle: reflected xss risk in blog search
  >= 4.0.0, < 4.0.6, >= 4.1.0, < 4.1.1
• MEDIUM6.1CVE-2022-45150Moodle reflected cross-site scripting vulnerability in policy tool
  >= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
• MEDIUM6.1CVE-2020-14320Moodle reflected XSS Vulnerability
  >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.4, >= 3.9.0, < 3.9.1
• MEDIUM6.1CVE-2022-35653Moodle LTI module reflected XSS risk
  >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.1, >= 4.0.1, < 4.0.2
• MEDIUM6.1CVE-2022-35652Moodle Open redirect risk in mobile auto-login feature
  >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
• MEDIUM6.1CVE-2022-35651Moodle Stored XSS and blind SSRF possible via SCORM track details
  >= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
• MEDIUM6.1CVE-2020-25631Moodle Cross-site Scripting (XSS)
  >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
• MEDIUM6.1CVE-2020-25627Moodle stored Cross-site Scripting (XSS)
  >= 3.9.0, < 3.9.2
• MEDIUM6.1CVE-2021-32478Moodle reflected XSS
  from 0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• MEDIUM6.1CVE-2021-43558Cross-site Scripting in moodle
  from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
• MEDIUM6.1CVE-2020-25628Cross site-scripting (XSS) moodle
  >= 3.5.0, < 3.5.14, >= 3.7.0, < 3.7.8, >= 3.8.0, < 3.8.5, >= 3.9.0, < 3.9.2
• MEDIUM6.1CVE-2020-25702Cross-site Scripting (XSS) in moodle
  >= 3.9.0, < 3.9.3
• MEDIUM5.9CVE-2024-34003moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM5.5CVE-2024-37674Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name paramete…
  >= 3.10.0, < 4.1.10
• MEDIUM5.4CVE-2025-67856Moodle: moodle: privilege escalation via incomplete role checks in badge awarding
  from 0, < 4.1.22, >= 4.4.0, < 4.4.12, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• MEDIUM5.4CVE-2025-67855Mooodle: mooodle: information disclosure and script execution via reflected cross-site scripting
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• MEDIUM5.4CVE-2025-62401Moodle: possible to bypass timer in timed assignments
  >= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM5.4CVE-2025-3643Moodle: reflected xss risk in policy tool
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM5.4CVE-2024-45691Moodle: lesson activity password bypass through php loose comparison
  from 0, < 4.1.13, >= 4.2.0, < 4.2.10, >= 4.3.0, < 4.3.7, >= 4.4.0, < 4.4.3
• MEDIUM5.4CVE-2024-43439Moodle: reflected xss via h5p error message
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.4CVE-2024-43437Moodle: xss risk when restoring malicious course backup file
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.4CVE-2024-38276moodle: CSRF risks due to misuse of confirm_sesskey
  from 0, < 4.1.10, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
• MEDIUM5.4CVE-2024-33998moodle: stored XSS via user's name on participants page when opening some options
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM5.4CVE-2024-28593Cross-site Scripting in Moodle Chat
  >= 4.3.3, < 4.3.4
• MEDIUM5.4CVE-2023-46858Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher.
  >= 4.3.0, < 4.3.1
• MEDIUM5.4CVE-2023-5544Moodle: stored xss and potential idor risk in wiki comments
  >= 3.9.0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM5.4CVE-2023-5546Moodle: stored xss in quiz grading report via user id number
  >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM5.4CVE-2021-27131Moodle vulnerable to stored Cross-site Scripting
  >= 3.10.1, < 3.10.2
• MEDIUM5.4CVE-2021-36398Moodle Cross-site Scripting vulnerability
  >= 3.11.0, < 3.11.1
• MEDIUM5.4CVE-2021-36399Moodle Cross-site Scripting vulnerability
  >= 3.11.0, < 3.11.1
• MEDIUM5.4CVE-2022-45151Moodle stored-XSS vulnerability in some "social" user profile fields
  >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
• MEDIUM5.4CVE-2022-45149Cross-Site Request Forgery in Moodle
  >= 3.9.0, < 3.9.18, >= 3.11.0, < 3.11.11, >= 4.0.0, < 4.0.5
• MEDIUM5.4CVE-2021-36568Moodle Cross-site Scripting vulnerability
  >= 3.9.7, < 3.9.8, >= 3.10.4, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM5.4CVE-2020-1691Moodle XSS Vulnerability
  >= 3.8.0, < 3.8.1
• MEDIUM5.4CVE-2021-32244Moodle Cross Site Scripting (XSS)
  >= 3.10.3, < 3.10.4
• MEDIUM5.4CVE-2021-20279Moodle contains Stored XSS via ID number user profile field
  >= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
• MEDIUM5.4CVE-2021-20186Moodle Cross-site Scripting
  from 0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
• MEDIUM5.4CVE-2021-20183Moodle Vulnerable to Reflected Cross-site Scripting
  from 0, < 3.10.1
• MEDIUM5.4CVE-2022-30596Cross-site Scripting in moodle
  >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
• MEDIUM5.4CVE-2021-32475Moodle stored Cross-site Scripting
  from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• MEDIUM5.4CVE-2021-20280Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle
  >= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
• MEDIUM5.3CVE-2025-62397Moodle: router produces json instead of 404 error for invalid course id
  >= 5.0.0, < 5.0.3
• MEDIUM5.3CVE-2025-62396Moodle: router (r.php) could expose application directories
  >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM5.3CVE-2025-62398Moodle: possible to bypass mfa
  >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM5.3CVE-2025-32045Moodle: hidden grades shown to users without permission on some grade reports
  from 0, < 4.1.17, >= 4.3.0, < 4.3.11, >= 4.4.0, < 4.4.7, >= 4.5.0, < 4.5.3
• MEDIUM5.3CVE-2025-26527Non-searchable tags can still be discovered on the tag search page and in the tags block
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• MEDIUM5.3CVE-2024-43435Moodle: can create global glossary without being admin
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.3CVE-2024-43433Moodle: matrix user/power level management not always working as expected with suspended users
  >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.3CVE-2024-43432Moodle: authorization headers preserved between "emulated redirects"
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.3CVE-2024-43429Moodle: user information visibility control issues in gradebook reports
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• MEDIUM5.3CVE-2024-43430Moodle: lack of access control when using external methods for quiz overrides
  >= 4.4.0, < 4.4.2
• MEDIUM5.3CVE-2020-1755In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote addr…
  >= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
• MEDIUM5.3CVE-2024-25980Msa-24-0003: h5p attempts report did not respect activity group settings
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• MEDIUM5.3CVE-2024-25983Msa-24-0006: idor on dashboard comments block
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• MEDIUM5.3CVE-2024-25979Msa-24-0002: forum search accepted random parameters in its url
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• MEDIUM5.3CVE-2024-25981Msa-24-0004: forum export did not respect activity group settings
  from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
• MEDIUM5.3CVE-2023-5545Moodle: auto-populated h5p author name causes a potential information leak
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM5.3CVE-2023-5548Moodle: cache poisoning risk with endpoint revision numbers
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM5.3CVE-2023-5549Moodle: insufficient capability checks when updating the parent of a course category
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM5.3CVE-2023-30943Moodle: tinymce loaders susceptible to arbitrary folder creation
  >= 4.1.0, < 4.1.3
• MEDIUM5.3CVE-2021-36397Moodle has Incorrect Default Permissions
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM5.3CVE-2021-36403Moodle has a Hidden Functionality vulnerability
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM5.3CVE-2021-36402Moodle Improper Input Validation vulnerability
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM5.3CVE-2021-36400Moodle has Incorrect Default Permissions
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM5.3CVE-2021-43560Moodle Insecure direct object reference (IDOR) in a calendar web service
  from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
• MEDIUM5.3CVE-2021-20282Moodle Bypass email verification secret when confirming account registration
  >= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
• MEDIUM5.3CVE-2021-20185Moodle Client side denial of service via personal message
  >= 3.5.0, < 3.5.16, >= 3.8.0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
• MEDIUM5.3CVE-2022-30597External Control of Assumed-Immutable Web Parameter in moodle
  >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
• MEDIUM5.3CVE-2021-32473Moodle Information Disclosure vulnerability
  from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• MEDIUM5.3CVE-2020-25703Exposure of Sensitive Information to an Unauthorized Actor in Moodle
  >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
• MEDIUM5.3CVE-2021-20281Moodle allowed some users without permission to view other users' full names
  >= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
• MEDIUM5.3CVE-2020-25701Privilage Escalation in moodle
  >= 3.5.0, < 3.5.15, >= 3.7.0, < 3.7.9, >= 3.8.0, < 3.8.6, >= 3.9.0, < 3.9.3
• MEDIUM4.9CVE-2021-40694Moodle Improper Encoding or Escaping of Output
  from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
• MEDIUM4.8CVE-2021-36401Moodle vulnerable to Stored Cross-site Scripting
  from 0, < 3.9.8, >= 3.10.0, < 3.10.5, >= 3.11.0, < 3.11.1
• MEDIUM4.7CVE-2023-5539Moodle: authenticated remote code execution risk in lesson
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• MEDIUM4.3CVE-2025-67857Moodle: moodle: data exposure of user identifiers in urls
  from 0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• MEDIUM4.3CVE-2025-62395Moodle: external cohort search service leaks system cohort data
  >= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM4.3CVE-2025-62400Moodle: hidden group names visible to event creators
  >= 4.1.0, < 4.1.21, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM4.3CVE-2025-62393Moodle: course access permissions not properly checked in course_output_fragment_course_overview
  >= 5.0.0, < 5.0.3
• MEDIUM4.3CVE-2025-62394Moodle: quiz notifications sent to suspended participants
  >= 4.5.0, < 4.5.7, >= 5.0.0, < 5.0.3
• MEDIUM4.3CVE-2025-3647Moodle: idor when accessing the cohorts report
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3640Moodle: idor in web service allows users enrolled in a course to access some details of other users
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3644Moodle: ajax section delete does not respect course_can_delete_section()
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3636Moodle: idor in moodle rss block allows unauthorized access to rss feeds
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3645Moodle: idor in messaging web service allows access to some user details
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3627Moodle: partial data exposure in moodle before completing multi-factor authentication
  >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3628Moodle: moodle assignment submission search leaks anonymous student identities
  >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2025-3634Moodle: moodle allows course self-enrolment before completing mfa
  >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• MEDIUM4.3CVE-2024-48899Moodle: idor when accessing list of course badges
  >= 4.4.0, < 4.4.4
• MEDIUM4.3CVE-2024-48901Moodle: idor when fetching report schedules
  from 0, < 4.1.19, >= 4.2.0, < 4.4.9
• MEDIUM4.3CVE-2024-48896Moodle: users' names returned in messaging error message
  from 0, < 4.1.19, >= 4.2.0, < 4.4.9
• MEDIUM4.3CVE-2024-48900Moodle: idor when accessing list of badge recipients
  >= 4.4.0, < 4.4.4
• MEDIUM4.3CVE-2024-38273moodle: BigBlueButton web service leaks meeting joining information to users who should not have access
  >= 4.1.0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
• MEDIUM4.3CVE-2024-34006moodle: unsanitized HTML in site log for config_log_created
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM4.3CVE-2024-34000moodle: stored XSS in lesson overview report via user ID number
  from 0, < 4.1.10, >= 4.2.0, < 4.2.7, >= 4.3.0, < 4.3.4
• MEDIUM4.3CVE-2020-1754In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not…
  >= 3.5.0, < 3.5.11, >= 3.6.0, < 3.6.9, >= 3.7.0, < 3.7.5, >= 3.8.0, < 3.8.2
• MEDIUM4.3CVE-2023-5542Moodle: students can view other users in "only see own membership" groups
  >= 4.2.2, < 4.2.3
• MEDIUM4.3CVE-2022-40208Moodle may allow students to bypass sequential navigation during a quiz attempt
  >= 3.9.0, < 3.9.16, >= 3.11.0, < 3.11.9, >= 4.0.0, < 4.0.3
• MEDIUM4.3CVE-2023-1402Moodle: course participation report shows roles the user should not see
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM4.3CVE-2023-28334Moodle: users' name enumeration possible via idor on learning plans page
  >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM4.3CVE-2023-28336Moodle: teacher can access names of users they do not have permission to access
  >= 3.9.0, < 3.9.20, >= 3.11.0, < 3.11.13, >= 4.0.0, < 4.0.7, >= 4.1.0, < 4.1.2
• MEDIUM4.3CVE-2022-40316Moodle No groups filtering in H5P activity attempts report
  >= 3.9.0, < 3.9.17, >= 3.11.0, < 3.11.10, >= 4.0.0, < 4.0.4
• MEDIUM4.3CVE-2021-40692Moodle Incorrect Authorization
  >= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
• MEDIUM4.3CVE-2021-40691Moodle Improper Authentication
  from 0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
• MEDIUM4.3CVE-2021-40695Moodle Exposure of Sensitive Information to an Unauthorized Actor
  >= 3.9.0, < 3.9.10, >= 3.10.0, < 3.10.7, >= 3.11.0, < 3.11.3
• MEDIUM4.3CVE-2021-20283Missing permission check in Moodle
  >= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
• MEDIUM4.3CVE-2021-20184Moodle Grade information disclosure in grade's external fetch functions
  from 0, < 3.8.7, >= 3.9.0, < 3.9.4, >= 3.10.0, < 3.10.1
• MEDIUM4.3CVE-2022-30598Exposure of Sensitive Information in moodle
  >= 3.9.0, < 3.9.14, >= 3.10.0, < 3.10.11, >= 3.11.0, < 3.11.7, >= 4.0.0, < 4.0.1
• MEDIUM4.3CVE-2022-0985Improper Authentication in moodle
  from 0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
• MEDIUM4.3CVE-2022-0984Missing authorization in Moodle
  >= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
• MEDIUM4.3CVE-2021-32472Moodle Exposure of Sensitive Information to an Unauthorized Actor
  >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
• MEDIUM4.3CVE-2021-32477Moodle Exposure of Sensitive Information to an Unauthorized Actor
  >= 3.10.0, < 3.10.4
• MEDIUM4.3CVE-2022-0334Insufficient user authorization in Moodle
  from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
• MEDIUM4.2CVE-2025-53021Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter
  >= 3.0.0, < 4.1.10
• LOW3.8CVE-2022-0333Insufficient user authorization in Moodle
  from 0, < 3.8.10, >= 3.9.0, < 3.9.12, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.5
• LOW3.7CVE-2024-43427Moodle: admin presets export tool includes some secrets that should not be exported
  from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
• LOW3.5CVE-2025-67852Moodle: moodle: open redirect vulnerability in oauth login flow allows redirection to malicious sites.
  from 0, < 4.1.22, >= 4.4.0, < 4.4.11, >= 4.5.0, < 4.5.8, >= 5.0.0, < 5.0.4, >= 5.1.0, < 5.1.1
• LOW3.5CVE-2025-3635Moodle: csrf risk in moodle user tours manager allows tour duplication
  from 0, < 4.1.18, >= 4.3.0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• LOW3.4CVE-2025-26528Stored XSS in ddimageortext question type
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• LOW3.3CVE-2023-5543Moodle: duplicating a bigbluebutton activity assigns the same meeting id
  >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• LOW3.3CVE-2023-5551Moodle: forum summary report shows students from other groups when in separate groups mode
  from 0, < 3.9.24, >= 3.11.0, < 3.11.17, >= 4.0.0, < 4.0.11, >= 4.1.0, < 4.1.6, >= 4.2.0, < 4.2.3
• LOW3.1CVE-2025-3637Moodle: csrf token exposure via url in moodle mod_data module
  from 0, < 4.3.12, >= 4.4.0, < 4.4.8, >= 4.5.0, < 4.5.4
• LOW3.1CVE-2025-26532Teachers can evade trusttext config when restoring glossary entries
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• LOW3.1CVE-2025-26531IDOR in badges allows disabling of arbitrary badges
  >= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
• —CVE-2022-50943Moodle LMS 4.0 Cross-Site Scripting via course search.php
  from 0, <= 4.0.0
• —CVE-2021-47857Moodle 3.10.3 - 'label' Persistent Cross Site Scripting
  >= 3.10.3, <= 3.10.3