threat
engine
.sh
Back
·
··:··
Home
/
Product
/
moodle
Product
moodle
500 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-26047
< 4.5.9
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insuf
6.5
MEDIUM
CVE-2026-26046
< 4.5.9
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input cou
7.2
HIGH
CVE-2026-26045
< 4.5.9
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated
7.2
HIGH
CVE-2025-67857
< 4.1.21
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This dat
4.3
MEDIUM
CVE-2025-67856
< 4.1.22
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding proc
5.4
MEDIUM
CVE-2025-67855
< 4.1.22
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy to
5.4
MEDIUM
CVE-2025-67853
< 4.1.22
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This
7.5
HIGH
CVE-2025-67852
< 4.1.22
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to a
3.5
LOW
CVE-2025-67851
< 4.1.22
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A r
6.1
MEDIUM
CVE-2025-67850
< 4.1.22
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-pro
7.3
HIGH
CVE-2025-67849
>= 4.5.0 and < 4.5.8
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses,
7.3
HIGH
CVE-2025-67848
< 4.1.22
A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning T
8.1
HIGH
CVE-2025-67847
< 4.1.22
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code
8.8
HIGH
CVE-2021-47857
all versions
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers
7.2
HIGH
CVE-2025-62401
>= 4.1.0 and < 4.1.21
An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time
5.4
MEDIUM
CVE-2025-62400
>= 4.1.0 and < 4.1.21
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. Thi
4.3
MEDIUM
CVE-2025-62399
>= 4.1.0 and < 4.1.21
Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them s
7.5
HIGH
CVE-2025-62398
>= 4.4.0 and < 4.4.11
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditi
5.4
MEDIUM
CVE-2025-62397
>= 5.0.0 and < 5.0.3
The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding r
5.3
MEDIUM
CVE-2025-62396
>= 4.5.0 and < 4.5.7
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when speci
5.3
MEDIUM
CVE-2025-62395
>= 4.1.0 and < 4.1.21
A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the sys
4.3
MEDIUM
CVE-2025-62394
>= 4.5.0 and < 4.5.7
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might
4.3
MEDIUM
CVE-2025-62393
>= 5.0.0 and < 5.0.3
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow un
4.3
MEDIUM
CVE-2025-53021
>= 3.0.0 and <= 3.11.18
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the se
4.2
MEDIUM
CVE-2025-3647
< 4.1.18
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authori
4.3
MEDIUM
CVE-2025-3645
< 4.1.18
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and
4.3
MEDIUM
CVE-2025-3644
< 4.1.18
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permi
4.3
MEDIUM
CVE-2025-3643
< 4.1.18
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scr
5.4
MEDIUM
CVE-2025-3642
< 4.1.18
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was
8.8
HIGH
CVE-2025-3641
< 4.1.18
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was
8.8
HIGH
CVE-2025-3640
< 4.1.18
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details
4.3
MEDIUM
CVE-2025-3638
< 4.1.18
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cr
8.8
HIGH
CVE-2025-3637
< 4.3.12
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attack
3.1
LOW
CVE-2025-3636
< 4.1.18
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capabili
4.3
MEDIUM
CVE-2025-3635
< 4.1.18
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to
3.5
LOW
CVE-2025-3628
>= 4.5.0 and < 4.5.4
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identitie
4.3
MEDIUM
CVE-2025-3627
>= 4.3.0 and < 4.3.12
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students befo
4.3
MEDIUM
CVE-2025-3625
>= 4.3.0 and < 4.3.12
A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students an
7.1
HIGH
CVE-2025-32045
< 4.1.17
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the neces
5.3
MEDIUM
CVE-2025-32044
>= 4.5.0 and < 4.5.3
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including n
7.5
HIGH
CVE-2025-3634
>= 4.3.0 and < 4.3.12
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the
4.3
MEDIUM
CVE-2025-26533
>= 4.1.0 and < 4.1.16
An SQL injection risk was identified in the module list filter within course search.
8.1
HIGH
CVE-2025-26532
>= 4.1.0 and < 4.1.16
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
3.1
LOW
CVE-2025-26531
>= 4.1.0 and < 4.1.16
Insufficient capability checks made it possible to disable badges a user does not have permission to access.
3.1
LOW
CVE-2025-26530
>= 4.3.0 and < 4.3.10
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
8.3
HIGH
CVE-2025-26529
>= 4.1.0 and < 4.1.16
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk
8.3
HIGH
CVE-2025-26528
>= 4.1.0 and < 4.1.16
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
3.4
LOW
CVE-2025-26527
>= 4.1.0 and < 4.1.16
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
5.3
MEDIUM
CVE-2025-26526
>= 4.1.0 and < 4.1.16
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Fe
6.5
MEDIUM
CVE-2025-26525
>= 4.1.0 and < 4.1.16
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (su
8.6
HIGH
CVE-2024-48899
>= 4.4.0 and < 4.4.4
A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for c
4.3
MEDIUM
CVE-2024-45691
< 4.1.13
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or l
5.4
MEDIUM
CVE-2024-45690
< 4.1.13
A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.
7.5
HIGH
CVE-2024-45689
< 4.1.13
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrie
6.5
MEDIUM
CVE-2024-48901
<= 4.1.14
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if th
4.3
MEDIUM
CVE-2024-48898
<= 4.1.14
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports
4.3
MEDIUM
CVE-2024-48897
<= 4.1.14
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they ha
4.3
MEDIUM
CVE-2024-48896
<= 4.1.14
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that t
4.3
MEDIUM
CVE-2024-48900
>= 4.4.0 and < 4.4.4
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can o
4.3
MEDIUM
CVE-2024-43439
< 4.1.12
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) ris
5.4
MEDIUM
CVE-2024-43437
< 4.1.12
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS)
5.4
MEDIUM
CVE-2024-43435
< 4.1.12
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses
5.3
MEDIUM
CVE-2024-43433
>= 4.3.0 and < 4.3.6
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users
5.3
MEDIUM
CVE-2024-43432
< 4.1.12
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains
5.3
MEDIUM
CVE-2024-43430
>= 4.4.0 and < 4.4.2
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
5.3
MEDIUM
CVE-2024-43429
< 4.1.12
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without
5.3
MEDIUM
CVE-2024-43427
< 4.1.12
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being
3.7
LOW
CVE-2024-43440
< 4.1.12
A flaw was found in moodle. A local file may include risks when restoring block backups.
7.5
HIGH
CVE-2024-43438
>= 4.1.0 and < 4.1.12
A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging
7.5
HIGH
CVE-2024-43436
>= 4.1.0 and < 4.1.12
A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.
7.2
HIGH
CVE-2024-43434
< 4.1.12
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading t
8.1
HIGH
CVE-2024-43431
< 4.1.12
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have pe
7.5
HIGH
CVE-2024-43428
< 4.1.12
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
7.7
HIGH
CVE-2024-43426
>= 4.1.0 and < 4.1.12
A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites wh
7.5
HIGH
CVE-2024-43425
< 4.1.12
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question type
8.1
HIGH
CVE-2024-34312
< 4.2.3
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the compo
6.1
MEDIUM
CVE-2024-37674
all versions
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name
5.5
MEDIUM
CVE-2024-38277
>= 4.1.0 and < 4.1.11
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeabl
5.4
MEDIUM
CVE-2024-38276
< 4.1.10
Incorrect CSRF token checks resulted in multiple CSRF risks.
8.8
HIGH
CVE-2024-38275
< 4.1.11
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header informatio
7.5
HIGH
CVE-2024-38274
>= 4.1.0 and < 4.1.11
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
6.1
MEDIUM
CVE-2024-38273
>= 4.1.0 and < 4.1.11
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permiss
5.4
MEDIUM
CVE-2024-34009
>= 4.3.0 and < 4.3.4
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect oth
7.5
HIGH
CVE-2024-34008
>= 4.0 and < 4.3.4
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
8.8
HIGH
CVE-2024-34007
>= 4.3.0 and < 4.3.4
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSR
8.8
HIGH
CVE-2024-34006
< 4.1.10
The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext
4.3
MEDIUM
CVE-2024-34005
< 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both acces
6.5
MEDIUM
CVE-2024-34004
< 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both acces
6.5
MEDIUM
CVE-2024-34003
< 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both acces
5.9
MEDIUM
CVE-2024-34002
< 4.1.10
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both acces
6.5
MEDIUM
CVE-2024-34001
< 4.1.10
Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.
8.4
HIGH
CVE-2024-34000
< 4.1.10
ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.
4.3
MEDIUM
CVE-2024-33999
>= 4.3.0 and < 4.3.4
The referrer URL used by MFA required additional sanitizing, rather than being used directly.
9.8
CRITICAL
CVE-2024-33998
< 4.1.10
Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with so
5.4
MEDIUM
CVE-2024-33997
< 4.1.10
Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equat
6.1
MEDIUM
CVE-2024-33996
< 4.1.10
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/
6.2
MEDIUM
CVE-2024-28593
all versions
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content
5.4
MEDIUM
CVE-2024-29374
all versions
A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL paramet
6.1
MEDIUM
CVE-2024-25983
>= 4.1.0 and < 4.1.9
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it wa
3.5
LOW
CVE-2024-25982
>= 4.1.0 and < 4.1.9
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.
4.3
MEDIUM
CVE-2024-25981
>= 4.1.0 and < 4.1.9
Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. B
4.3
MEDIUM
CVE-2024-25980
>= 4.1.0 and < 4.1.9
Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By def
4.3
MEDIUM
CVE-2024-25979
>= 4.1.0 and < 4.1.9
The URL parameters accepted by forum search were not limited to the allowed parameters.
5.3
MEDIUM
CVE-2024-25978
>= 4.1.0 and < 4.1.9
Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.
7.5
HIGH
CVE-2024-1439
<= 4.2.11
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary event
6.5
MEDIUM
CVE-2023-5543
>= 4.0.0 and < 4.0.11
When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activ
3.3
LOW
CVE-2023-5551
< 3.9.24
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.
3.3
LOW
CVE-2023-5550
< 3.9.24
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has di
6.5
MEDIUM
CVE-2023-5549
< 3.9.24
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent catego
3.3
LOW
CVE-2023-5548
< 3.9.24
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
3.3
LOW
CVE-2023-5547
>= 3.9.0 and < 3.9.24
The course upload preview contained an XSS risk for users uploading unsafe data.
3.3
LOW
CVE-2023-5546
>= 4.0.0 and < 4.0.11
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
4.3
MEDIUM
CVE-2023-5545
< 3.9.24
H5P metadata automatically populated the author with the user's username, which could be sensitive information.
3.3
LOW
CVE-2023-5544
>= 3.9.0 and < 3.9.24
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.
6.5
MEDIUM
CVE-2023-5542
all versions
Students in "Only see own membership" groups could see other students in the group, which should be hidden.
3.3
LOW
CVE-2023-5541
>= 3.9.0 and < 3.9.24
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.
3.3
LOW
CVE-2023-5540
< 3.9.24
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
4.7
MEDIUM
CVE-2023-5539
< 3.9.24
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
4.7
MEDIUM
CVE-2023-46858
all versions
Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security
5.4
MEDIUM
CVE-2023-35133
< 3.9.22
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodl
7.5
HIGH
CVE-2023-35132
< 3.9.22
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1
6.3
MEDIUM
CVE-2023-35131
>= 3.11.0 and < 3.11.15
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.
6.1
MEDIUM
CVE-2021-27131
all versions
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additio
5.4
MEDIUM
CVE-2023-30944
>= 3.9.0 and < 3.9.21
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for
5.6
MEDIUM
CVE-2023-30943
>= 4.1.0 and < 4.1.3
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in Ti
6.5
MEDIUM
CVE-2022-40208
> 3.9.0 and < 3.9.16
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during
4.3
MEDIUM
CVE-2023-28336
> 3.9.0 and < 3.9.20
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise
4.3
MEDIUM
CVE-2023-28335
all versions
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
8.8
HIGH
CVE-2023-28334
> 4.0.0 and < 4.0.7
Authenticated users were able to enumerate other users' names via the learning plans page.
4.3
MEDIUM
CVE-2023-28333
> 3.9.0 and < 3.9.20
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be
9.8
CRITICAL
CVE-2023-28332
> 3.9.0 and < 3.9.20
If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS
6.1
MEDIUM
CVE-2023-28331
> 3.9.0 and < 3.9.20
Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.
6.1
MEDIUM
CVE-2023-28330
> 3.9.0 and < 3.9.20
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available
6.5
MEDIUM
CVE-2023-28329
> 3.9.0 and < 3.9.20
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to te
8.8
HIGH
CVE-2023-1402
> 3.9.0 and < 3.9.20
The course participation report required additional checks to prevent roles being displayed which the user did not have access to
4.3
MEDIUM
CVE-2021-36403
< 3.9.8
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML,
5.3
MEDIUM
CVE-2021-36402
< 3.9.8
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing
5.3
MEDIUM
CVE-2021-36401
< 3.9.8
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
4.8
MEDIUM
CVE-2021-36400
< 3.9.8
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
5.3
MEDIUM
CVE-2021-36399
all versions
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
5.4
MEDIUM
CVE-2021-36398
all versions
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
5.4
MEDIUM
CVE-2021-36397
< 3.9.8
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
5.3
MEDIUM
CVE-2021-36396
< 3.9.8
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, result
7.5
HIGH
CVE-2021-36395
< 3.9.8
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of se
7.5
HIGH
CVE-2021-36394
< 3.9.8
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
9.8
CRITICAL
CVE-2021-36393
< 3.9.8
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
9.8
CRITICAL
CVE-2021-36392
< 3.9.8
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
9.8
CRITICAL
CVE-2023-23923
>= 3.9.0 and < 3.9.19
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker
8.2
HIGH
CVE-2023-23922
>= 4.0.0 and < 4.0.6
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote at
6.1
MEDIUM
CVE-2023-23921
>= 3.9.0 and < 3.9.19
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameter
6.1
MEDIUM
CVE-2022-39183
all versions
Moodle Plugin - SAML Auth may allow Open Redirect through unspecified vectors.
6.5
MEDIUM
CVE-2022-45152
< 3.9.18
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of u
9.1
CRITICAL
CVE-2022-45151
>= 3.11.0 and < 3.11.11
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in sever
5.4
MEDIUM
CVE-2022-45150
>= 3.9.0 and < 3.9.18
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user
6.1
MEDIUM
CVE-2022-45149
>= 3.9.0 and < 3.9.18
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL.
5.4
MEDIUM
CVE-2022-2986
>= 3.11.0 and < 3.11.9
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
8.8
HIGH
CVE-2022-40316
>= 3.9.0 and < 3.9.17
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing t
4.3
MEDIUM
CVE-2022-40315
>= 3.9.0 and < 3.9.17
A limited SQL injection risk was identified in the "browse list of users" site administration page.
9.8
CRITICAL
CVE-2022-40314
>= 3.9 and < 3.9.17
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
9.8
CRITICAL
CVE-2022-40313
>= 3.9.0 and < 3.9.17
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page faili
7.1
HIGH
CVE-2021-40695
>= 3.9.0 and < 3.9.10
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
4.3
MEDIUM
CVE-2021-40694
< 3.9.10
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server sy
4.9
MEDIUM
CVE-2021-40693
< 3.9.10
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnera
6.5
MEDIUM
CVE-2021-40692
>= 3.9.0 and < 3.9.10
Insufficient capability checks made it possible for teachers to download users outside of their courses.
4.3
MEDIUM
CVE-2021-40691
< 3.9.10
A session hijack risk was identified in the Shibboleth authentication plugin.
4.3
MEDIUM
CVE-2021-36568
all versions
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Datab
5.4
MEDIUM
CVE-2020-1756
>= 3.5.0 and < 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
7.2
HIGH
CVE-2020-1755
>= 3.5.0 and < 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass re
5.3
MEDIUM
CVE-2020-14322
>= 3.5.0 and < 3.5.13
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the ri
7.5
HIGH
CVE-2020-14321
>= 3.5.0 and < 3.5.13
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that
8.8
HIGH
CVE-2020-14320
>= 3.7.0 and < 3.7.7
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS ris
6.1
MEDIUM
CVE-2020-1754
>= 3.5.0 and < 3.5.11
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability
4.3
MEDIUM
CVE-2020-1691
all versions
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-s
5.4
MEDIUM
CVE-2022-35653
>= 3.9.0 and < 3.9.15
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of use
6.1
MEDIUM
CVE-2022-35652
>= 3.9.0 and < 3.9.15
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remo
6.1
MEDIUM
CVE-2022-35651
>= 3.9.0 and < 3.9.15
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in th
6.1
MEDIUM
CVE-2022-35650
>= 3.9.0 and < 3.9.15
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient pat
7.5
HIGH
CVE-2022-35649
>= 3.9.0 and < 3.9.15
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution
9.8
CRITICAL
CVE-2022-30600
>= 3.9 and < 3.9.14
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being byp
9.8
CRITICAL
CVE-2022-30599
>= 3.9 and < 3.9.14
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
9.8
CRITICAL
CVE-2022-30598
>= 3.9 and < 3.9.14
A flaw was found in moodle where global search results could include author information on some activities where a user may not ot
4.3
MEDIUM
CVE-2022-30597
>= 3.9 and < 3.9.14
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
5.3
MEDIUM
CVE-2022-30596
>= 3.9 and < 3.9.14
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing t
5.4
MEDIUM
CVE-2022-0984
>= 3.9.0 and < 3.9.13
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with
4.3
MEDIUM
CVE-2022-0985
< 3.9.13
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the n
4.3
MEDIUM
CVE-2022-0983
>= 3.9.0 and < 3.9.13
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limite
8.8
HIGH
CVE-2021-32478
< 3.8.9
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moo
6.1
MEDIUM
CVE-2021-32477
>= 3.10.0 and < 3.10.4
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the releva
4.3
MEDIUM
CVE-2021-32476
< 3.5.18
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions
7.5
HIGH
CVE-2021-32475
< 3.5.18
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3
5.4
MEDIUM
CVE-2021-32474
< 3.5.18
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note th
7.2
HIGH
CVE-2021-32473
< 3.5.18
It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.
5.3
MEDIUM
CVE-2021-32472
>= 3.8.0 and < 3.8.9
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Moodle versions 3.1
4.3
MEDIUM
CVE-2022-0335
<= 3.8.9
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete
8.8
HIGH
CVE-2022-0334
<= 3.8.9
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficien
4.3
MEDIUM
CVE-2022-0333
<= 3.8.9
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calenda
3.8
LOW
CVE-2022-0332
>= 3.11.0 and < 3.11.5
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service respon
9.8
CRITICAL
CVE-2021-43560
<= 3.8.8
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficien
5.3
MEDIUM
CVE-2021-43559
<= 3.8.8
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete
8.8
HIGH
CVE-2021-43558
<= 3.8.8
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL param
6.1
MEDIUM
CVE-2021-3943
>= 3.9.0 and <= 3.9.10
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote co
9.8
CRITICAL
CVE-2021-21809
all versions
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of H
9.1
CRITICAL
CVE-2021-32244
all versions
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description"
5.4
MEDIUM
CVE-2019-14827
>= 3.5.0 and <= 3.5.7
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering fro
6.1
MEDIUM
CVE-2019-14831
>= 3.5.0 and <= 3.5.7
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscri
6.1
MEDIUM
CVE-2019-14830
>= 3.5.0 and <= 3.5.7
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile la
6.1
MEDIUM
CVE-2019-14829
>= 3.5.0 and <= 3.5.7
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where acti
4.3
MEDIUM
CVE-2019-14828
>= 3.5.0 and <= 3.5.7
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where use
4.3
MEDIUM
CVE-2021-20283
>= 3.5.0 and < 3.5.17
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to
4.3
MEDIUM
CVE-2021-20282
>= 3.5.0 and < 3.5.17
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in
5.3
MEDIUM
CVE-2021-20281
>= 3.5.0 and < 3.5.17
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle be
5.3
MEDIUM
CVE-2021-20280
>= 3.5.0 and < 3.5.17
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9
5.4
MEDIUM
CVE-2021-20279
>= 3.5.0 and < 3.5.17
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8
5.4
MEDIUM
CVE-2021-20185
>= 3.5.0 and < 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending
5.3
MEDIUM
CVE-2021-20187
< 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbi
7.2
HIGH
CVE-2021-20186
< 3.5.16
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sani
5.4
MEDIUM
CVE-2021-20184
< 3.8.7
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web serv
4.3
MEDIUM
CVE-2021-20183
< 3.10.1
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping
5.4
MEDIUM
CVE-2020-25627
>= 3.9.0 and < 3.9.2
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1
6.1
MEDIUM
CVE-2020-25631
>= 3.7.0 and < 3.7.8
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a b
6.1
MEDIUM
CVE-2020-25630
>= 3.5.0 and < 3.5.14
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before u
7.5
HIGH
CVE-2020-25629
>= 3.5.0 and < 3.5.14
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may g
8.8
HIGH
CVE-2020-25628
>= 3.5.0 and < 3.5.14
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4,
6.1
MEDIUM
CVE-2020-25703
>= 3.7.0 and <= 3.7.8
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hid
5.3
MEDIUM
CVE-2020-25702
>= 3.9 and < 3.9.3
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed
6.1
MEDIUM
CVE-2020-25701
>= 3.5.0 and <= 3.5.14
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the to
5.3
MEDIUM
CVE-2020-25700
>= 3.5.0 and <= 3.5.14
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affect
6.5
MEDIUM
CVE-2020-25699
>= 3.5.0 and <= 3.5.14
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to
7.5
HIGH
CVE-2020-25698
>= 3.5.0 and <= 3.5.14
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This
7.5
HIGH
CVE-2020-10738
>= 3.5 and < 3.5.12
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupport
7.5
HIGH
CVE-2019-14880
>= 3.5 and < 3.5.9
A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers w
9.1
CRITICAL
CVE-2019-14884
>= 3.5.0 and < 3.5.9
A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from so
6.1
MEDIUM
CVE-2019-14883
>= 3.6.0 and < 3.6.7
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email n
5.3
MEDIUM
CVE-2019-14882
>= 3.5.0 and <= 3.5.9
A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Les
6.1
MEDIUM
CVE-2019-14881
>= 3.7.0 and < 3.7.2
A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is dis
6.1
MEDIUM
CVE-2020-1692
< 3.7.2
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
8.1
HIGH
CVE-2019-18210
<= 3.7.2
Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript
5.4
MEDIUM
CVE-2019-14879
>= 3.5.0 and <= 3.5.8
A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role ass
5.4
MEDIUM
CVE-2012-1170
< 2.2.2
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
7.5
HIGH
CVE-2012-1169
< 2.2.2
Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only
5.3
MEDIUM
CVE-2012-1161
< 2.2.2
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
4.3
MEDIUM
CVE-2012-1160
< 2.2.2
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/i
2.7
LOW
CVE-2012-1159
< 2.2.2
Moodle before 2.2.2: Overview report allows users to see hidden courses
4.3
MEDIUM
CVE-2012-1158
< 2.2.2
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
4.3
MEDIUM
CVE-2012-1157
< 2.2.2
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
4.3
MEDIUM
CVE-2012-1168
< 2.2.2
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not
8.2
HIGH
CVE-2012-1156
< 2.2.2
Moodle before 2.2.2 has users' private files included in course backups
7.5
HIGH
CVE-2012-1155
>= 1.9 and < 1.9.17
Moodle has a database activity export permission issue where the export function of the database activity module exports all entri
7.5
HIGH
CVE-2019-10189
< 3.5.7
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for o
4.3
MEDIUM
CVE-2019-10188
< 3.5.7
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other gr
4.3
MEDIUM
CVE-2019-10187
< 3.5.7
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able
4.3
MEDIUM
CVE-2019-10186
< 3.5.7
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/u
8.8
HIGH
CVE-2019-10154
< 3.6.4
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's co
7.5
HIGH
CVE-2019-10134
>= 3.1.0 and <= 3.1.17
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not
3.7
LOW
CVE-2019-10133
>= 3.1.0 and <= 3.1.17
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, whic
3.1
LOW
CVE-2019-3847
< 3.1.17
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capabili
4.8
MEDIUM
CVE-2019-3852
< 3.6.3
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were
4.3
MEDIUM
CVE-2019-3851
>= 3.5.0 and < 3.5.5
A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the Boost theme's se
4.3
MEDIUM
CVE-2019-3850
< 3.1.17
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments wo
4.3
MEDIUM
CVE-2019-3849
< 3.4.8
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within
8.8
HIGH
CVE-2019-3848
< 3.4.8
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading
4.3
MEDIUM
CVE-2019-3810
>= 3.1.0 and <= 3.1.15
A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The
6.1
MEDIUM
CVE-2019-3809
>= 3.1.0 and <= 3.1.15
A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting t
6.5
MEDIUM
CVE-2019-3808
>= 3.1.0 and <= 3.1.15
A flaw was found in Moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The
5.4
MEDIUM
CVE-2019-6970
>= 3.5.0 and < 3.5.4
Moodle 3.5.x before 3.5.4 allows SSRF.
7.5
HIGH
CVE-2018-16854
<= 3.0.10
A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not pro
6.5
MEDIUM
CVE-2018-14631
>= 3.3.0 and < 3.3.8
moodle before versions 3.5.2, 3.4.5, 3.3.8 is vulnerable to a boost theme - blog search GET parameter insufficiently filtered. The
8.8
HIGH
CVE-2018-14630
<= 3.0.10
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code
8.8
HIGH
CVE-2018-10891
>= 3.1 and < 3.1.13
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for
7.3
HIGH
CVE-2018-10890
>= 3.1.0 and < 3.1.13
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It was possible for the core_course_get_categories web ser
4.3
MEDIUM
CVE-2018-10889
>= 3.3.0 and < 3.3.7
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which ma
4.3
MEDIUM
CVE-2018-1137
>= 3.1.0 and <= 3.1.11
An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be explo
8.1
HIGH
CVE-2018-1136
>= 3.1.0 and <= 3.1.11
An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard;
4.3
MEDIUM
CVE-2018-1135
>= 3.1.0 and <= 3.1.11
An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored
6.5
MEDIUM
CVE-2018-1134
>= 3.1.0 and <= 3.1.11
An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored
6.5
MEDIUM
CVE-2018-1133
>= 3.1.0 and <= 3.1.11
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on t
8.8
HIGH
CVE-2018-1082
>= 3.3.0 and <= 3.3.4
A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed
8.1
HIGH
CVE-2018-1081
<= 3.0.10
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticat
5.3
MEDIUM
CVE-2018-1045
<= 3.1.9
In Moodle 3.x, there is XSS via a calendar event name.
5.4
MEDIUM
CVE-2018-1044
<= 3.1.9
In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.
4.3
MEDIUM
CVE-2018-1043
all versions
In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.
6.5
MEDIUM
CVE-2018-1042
<= 3.1.9
Moodle 3.x has Server Side Request Forgery in the filepicker.
6.5
MEDIUM
CVE-2017-15110
<= 3.0.10
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page,
4.3
MEDIUM
CVE-2017-12157
all versions
In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.
4.3
MEDIUM
CVE-2017-12156
all versions
Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
6.1
MEDIUM
CVE-2017-7532
all versions
In Moodle 3.x, course creators are able to change system default settings for courses.
6.5
MEDIUM
CVE-2017-7531
all versions
In Moodle 3.3, the course overview block reveals activities in hidden courses.
4.3
MEDIUM
CVE-2017-2642
all versions
Moodle 3.x has user fullname disclosure on the user preferences page.
6.5
MEDIUM
CVE-2017-7491
all versions
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course ov
4.3
MEDIUM
CVE-2017-7490
all versions
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
5.3
MEDIUM
CVE-2017-7489
all versions
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
6.3
MEDIUM
CVE-2016-3734
all versions
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.1
8.8
HIGH
CVE-2016-3733
all versions
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier
4.3
MEDIUM
CVE-2016-3732
all versions
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13
4.3
MEDIUM
CVE-2016-3731
all versions
Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums a
5.3
MEDIUM
CVE-2016-3729
all versions
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows r
6.5
MEDIUM
CVE-2017-7298
all versions
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute
5.4
MEDIUM
CVE-2017-2645
all versions
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
6.1
MEDIUM
CVE-2017-2644
all versions
In Moodle 3.x, XSS can occur via evidence of prior learning.
6.1
MEDIUM
CVE-2017-2643
all versions
In Moodle 3.2.x, global search displays user names for unauthenticated users.
5.3
MEDIUM
CVE-2017-2641
all versions
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
9.8
CRITICAL
CVE-2017-2578
all versions
In Moodle 3.x, there is XSS in the assignment submission page.
6.1
MEDIUM
CVE-2017-2576
<= 2.7.17
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
5.3
MEDIUM
CVE-2016-8644
<= 2.7.16
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
5.3
MEDIUM
CVE-2016-8643
<= 2.7.16
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
4.3
MEDIUM
CVE-2016-8642
<= 2.7.16
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
5.3
MEDIUM
CVE-2016-7038
<= 2.7.15
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
7.3
HIGH
CVE-2016-5014
all versions
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the cou
5.4
MEDIUM
CVE-2016-5013
<= 2.7.14
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
5.4
MEDIUM
CVE-2016-5012
all versions
In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
5.3
MEDIUM
CVE-2016-9188
<= 3.1.2
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script
6.1
MEDIUM
CVE-2016-9187
<= 3.1.2
Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authent
8.8
HIGH
CVE-2016-9186
<= 3.1.2
Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authe
8.8
HIGH
CVE-2016-7919
all versions
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue a
7.5
HIGH
CVE-2016-2190
<= 2.6.11
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly rest
5.3
MEDIUM
CVE-2016-2159
<= 2.6.11
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9
4.3
MEDIUM
CVE-2016-2158
<= 2.6.11
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before
4.3
MEDIUM
CVE-2016-2157
<= 2.6.11
Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13
8.8
HIGH
CVE-2016-2156
<= 2.6.11
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before
4.3
MEDIUM
CVE-2016-2155
all versions
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.
4.3
MEDIUM
CVE-2016-2154
all versions
admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not con
4.3
MEDIUM
CVE-2016-2153
<= 2.6.11
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13,
6.1
MEDIUM
CVE-2016-2152
<= 2.6.11
Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x befor
6.1
MEDIUM
CVE-2016-2151
<= 2.6.11
user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 gran
4.3
MEDIUM
CVE-2016-0725
all versions
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8
6.1
MEDIUM
CVE-2016-0724
<= 2.6.11
The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x
4.3
MEDIUM
CVE-2015-5342
<= 2.6.11
The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenti
4.3
MEDIUM
CVE-2015-5341
<= 2.6.11
mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates,
4.3
MEDIUM
CVE-2015-5340
<= 2.6.11
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbad
4.3
MEDIUM
CVE-2015-5339
<= 2.6.11
The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before
4.3
MEDIUM
CVE-2015-5338
<= 2.6.11
Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8
8.8
HIGH
CVE-2015-5337
<= 2.6.11
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability
6.1
MEDIUM
CVE-2015-5336
<= 2.6.11
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x befo
5.4
MEDIUM
CVE-2015-5335
<= 2.6.11
Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11,
4.3
MEDIUM
CVE-2015-5332
all versions
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) b
6.8
MEDIUM
CVE-2015-5331
all versions
Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote au
4.3
MEDIUM
CVE-2015-5272
all versions
The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the tea
4.3
MEDIUM
CVE-2015-5269
<= 2.6.11
Cross-site scripting (XSS) vulnerability in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8,
5.4
MEDIUM
CVE-2015-5268
<= 2.6.11
The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-ba
4.3
MEDIUM
CVE-2015-5267
<= 2.6.11
lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_r
7.5
HIGH
CVE-2015-5266
<= 2.6.11
The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9
6.8
MEDIUM
CVE-2015-5265
<= 2.6.11
The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the
4.3
MEDIUM
CVE-2015-5264
<= 2.6.11
The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenti
5.4
MEDIUM
CVE-2015-3275
<= 2.6.11
Multiple cross-site scripting (XSS) vulnerabilities in the SCORM module in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before
6.1
MEDIUM
CVE-2015-3274
all versions
Cross-site scripting (XSS) vulnerability in the user_get_user_details function in user/lib.php in Moodle through 2.6.11, 2.7.x bef
6.1
MEDIUM
CVE-2015-3273
all versions
mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "P
4.3
MEDIUM
CVE-2015-3272
all versions
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x b
7.4
HIGH
CVE-2015-3181
<= 2.5.9
files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider t
CVE-2015-3180
<= 2.5.9
lib/navigationlib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authe
CVE-2015-3179
<= 2.5.9
login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authentic
CVE-2015-3178
<= 2.5.9
Cross-site scripting (XSS) vulnerability in the external_format_text function in lib/externallib.php in Moodle through 2.5.9, 2.6.
CVE-2015-3177
all versions
Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event
CVE-2015-3176
<= 2.5.9
The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x
CVE-2015-3175
<= 2.5.9
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 al
CVE-2015-3174
<= 2.5.9
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the R
CVE-2015-2273
<= 2.5.9
Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.
CVE-2015-2272
<= 2.5.9
login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticate
CVE-2015-2271
<= 2.5.9
tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/
CVE-2015-2270
<= 2.5.9
lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the
CVE-2015-2269
<= 2.5.9
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x
CVE-2015-2268
<= 2.5.9
filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote
CVE-2015-2267
<= 2.5.9
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated us
CVE-2015-2266
<= 2.5.9
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the mo
CVE-2015-1493
<= 2.5.9
Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x b
CVE-2015-0218
<= 2.5.9
Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x b
CVE-2015-0217
<= 2.5.9
filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remot
CVE-2015-0216
all versions
access.php in the Lesson module in Moodle 2.8.x before 2.8.2 does not set the RISK_XSS bit for graders, which allows remote authen
CVE-2015-0215
<= 2.5.9
calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote aut
CVE-2015-0214
<= 2.5.9
message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote auth
CVE-2015-0213
<= 2.5.9
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary m
CVE-2015-0212
<= 2.5.9
Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, an
CVE-2015-0211
<= 2.5.9
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moo
CVE-2014-9060
<= 2.4.11
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict
CVE-2014-9059
<= 2.4.11
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset in
CVE-2014-7848
<= 2.4.11
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive informat
CVE-2014-7847
<= 2.4.11
iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attacker
CVE-2014-7846
<= 2.4.11
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not conside
CVE-2014-7845
<= 2.4.11
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not p
CVE-2014-7838
<= 2.4.11
Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x
CVE-2014-7837
<= 2.4.11
mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenti
CVE-2014-7836
<= 2.4.11
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x b
CVE-2014-7835
<= 2.4.11
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or d
CVE-2014-7834
<= 2.4.11
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remo
CVE-2014-7833
<= 2.4.11
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID
CVE-2014-7832
<= 2.4.11
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 perf
CVE-2014-7831
<= 2.4.11
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displ
CVE-2014-7830
<= 2.4.11
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x befo
CVE-2014-3617
<= 2.4.11
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5,
CVE-2014-3553
<= 2.3.11
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x b
CVE-2014-3552
<= 2.3.11
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before
CVE-2014-3551
<= 2.3.11
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before
CVE-2014-3550
all versions
Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remot
CVE-2014-3549
all versions
Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.
CVE-2014-3548
<= 2.3.11
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x befor
CVE-2014-3547
all versions
Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2
CVE-2014-3546
<= 2.3.11
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certai
CVE-2014-3545
<= 2.3.11
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authentic
CVE-2014-3544
<= 2.3.11
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.
CVE-2014-3543
<= 2.3.11
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7
CVE-2014-3542
<= 2.3.11
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1
CVE-2014-3541
<= 2.3.11
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before
CVE-2014-0218
<= 2.3.11
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.
CVE-2014-0217
all versions
enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidd
CVE-2014-0216
<= 2.3.11
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4
CVE-2014-0215
<= 2.3.11
The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows
CVE-2014-0214
<= 2.3.11
login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile w
CVE-2014-0213
<= 2.3.11
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle throug
CVE-2014-2572
all versions
mod/assign/externallib.php in Moodle 2.6.x before 2.6.2 does not properly handle assignment web-service parameters, which might al
CVE-2014-2571
<= 2.3.11
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11,
CVE-2014-0129
<= 2.3.11
badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issue
CVE-2014-0127
<= 2.3.11
The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.
CVE-2014-0126
<= 2.3.11
Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9,
CVE-2014-0125
<= 2.3.11
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a sess
CVE-2014-0124
<= 2.3.11
The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x be
CVE-2014-0123
<= 2.3.11
The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly rest
CVE-2014-0122
<= 2.3.11
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly
CVE-2013-7341
<= 2.3.11
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x bef
CVE-2014-0010
<= 2.2.11
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11
CVE-2014-0009
<= 2.2.11
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 d
CVE-2014-0008
<= 2.3.11
lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 logs cleartext passwords
CVE-2013-4525
<= 2.2.11
Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2
CVE-2013-4524
<= 2.2.11
Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4
CVE-2013-4523
<= 2.2.11
Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and
CVE-2013-4522
<= 2.2.11
lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Con
CVE-2013-3630
<= 2.5.2
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname a
CVE-2013-5674
all versions
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an
CVE-2013-4341
<= 2.2.11
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x be
CVE-2013-4313
<= 2.2.11
Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in q
CVE-2012-6087
<= 2.2.11
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2
CVE-2013-4942
all versions
Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used
CVE-2013-4941
all versions
Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in M
CVE-2013-4940
all versions
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1
CVE-2013-4939
all versions
Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodl
CVE-2013-4938
all versions
The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.
CVE-2013-2246
all versions
mod/feedback/lib.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1
CVE-2013-2245
all versions
rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does no
CVE-2013-2244
all versions
Multiple cross-site scripting (XSS) vulnerabilities in lib/conditionlib.php in Moodle 2.4.x before 2.4.5 and 2.5.x before 2.5.1 al
CVE-2013-2243
all versions
mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows
CVE-2013-2242
all versions
mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x be
CVE-2013-2083
all versions
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before
CVE-2013-2082
all versions
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements fo
CVE-2013-2081
all versions
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes d
CVE-2013-2080
all versions
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the exist
CVE-2013-2079
all versions
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability
CVE-2013-1836
all versions
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for
CVE-2013-1835
all versions
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrato
CVE-2013-1834
all versions
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2
CVE-2013-1833
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.
CVE-2013-1832
all versions
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes th
CVE-2013-1831
all versions
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers
CVE-2013-1830
all versions
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forcel
CVE-2013-1829
all versions
calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar
CVE-2012-6112
all versions
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.
CVE-2012-6106
all versions
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check,
CVE-2012-6105
all versions
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide
CVE-2012-6104
all versions
blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensiti
CVE-2012-6103
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x befor
CVE-2012-6102
all versions
lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remo
CVE-2012-6101
all versions
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attac
CVE-2012-6100
all versions
report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the mo
CVE-2012-6099
all versions
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2
CVE-2012-6098
all versions
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and
CVE-2012-5481
all versions
Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all c
CVE-2012-5480
all versions
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to b
CVE-2012-5479
all versions
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to
CVE-2012-5473
all versions
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated
CVE-2012-5472
all versions
lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access r
CVE-2012-5471
all versions
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenti
CVE-2012-4408
all versions
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a
CVE-2012-4407
all versions
lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication s
CVE-2012-4403
all versions
theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which a
CVE-2012-4402
all versions
webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of
CVE-2012-4401
all versions
Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended capability restrictions and
CVE-2012-4400
all versions
repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass int
CVE-2012-3398
all versions
Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.
CVE-2012-3397
all versions
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check fo
CVE-2012-3396
all versions
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2
CVE-2012-3395
all versions
SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4
CVE-2012-3394
all versions
auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redire
CVE-2012-3393
all versions
Cross-site scripting (XSS) vulnerability in repository/lib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 allows remote a
CVE-2012-3392
all versions
mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not consider whether a forum is optional, wh
CVE-2012-3391
all versions
mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly implement the requirement for posting b
CVE-2012-3390
all versions
lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly restrict file access after a block has been
CVE-2012-3389
all versions
Multiple cross-site scripting (XSS) vulnerabilities in mod/lti/typessettings.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3
CVE-2012-3388
all versions
The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with
CVE-2012-3387
all versions
Moodle 2.3.x before 2.3.1 uses only a client-side check for whether references are permitted in a file upload, which allows remote
CVE-2012-2367
all versions
Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to by
CVE-2012-2366
all versions
mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not properly iterate through an array, which allows r
CVE-2012-2365
all versions
Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote au
CVE-2012-2364
all versions
Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2
CVE-2012-2363
all versions
SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authe
CVE-2012-2362
all versions
Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog implementation in Moodle 1.9.x before 1.9.18, when Internet E
CVE-2012-2361
all versions
Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php in the web services implementation in Moodle 2.0.x before 2
CVE-2012-2360
all versions
Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before
CVE-2012-2359
all versions
admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated user
CVE-2012-2358
all versions
Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's re
CVE-2012-2357
all versions
The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1
CVE-2012-2356
all versions
The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass in
CVE-2012-2355
all versions
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass question:use* capability requirements
CVE-2012-2354
all versions
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capab
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin