Moodle — CWE-Other

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

Insufficient capability checks made it possible for teachers to download users outside of their courses.

A session hijack risk was identified in the Shibboleth authentication plugin.

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities

A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more su…

An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.

An issue was discovered in Moodle 3.x. An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard; this is normally not a security issue because a personal dashboard is visible to this user only. Through this security vulnerability, users can move such a block to other…

An issue was discovered in Moodle 3.x. Students who posted on forums and exported the posts to portfolios can download any stored Moodle file by changing the download URL.

An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

In Moodle 3.x, there is XSS via a calendar event name.

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

Moodle 3.x has Server Side Request Forgery in the filepicker.

In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.

In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.

In Moodle 3.x, XSS can occur via evidence of prior learning.

In Moodle 3.2.x, global search displays user names for unauthenticated users.

In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

In Moodle 3.x, there is XSS in the assignment submission page.

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.

Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.

Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

Moodle before 2.2.2: Overview report allows users to see hidden courses

Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default

Moodle before 2.2.2 has users' private files included in course backups

Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to