Total
524 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5542 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 4.3 MEDIUM |
| Students in "Only see own membership" groups could see other students in the group, which should be hidden. | |||||
| CVE-2023-5547 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-12-10 | N/A | 6.1 MEDIUM |
| The course upload preview contained an XSS risk for users uploading unsafe data. | |||||
| CVE-2023-5543 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 3.3 LOW |
| When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. | |||||
| CVE-2023-5539 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. | |||||
| CVE-2023-5541 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 6.1 MEDIUM |
| The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. | |||||
| CVE-2023-5550 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 9.8 CRITICAL |
| In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. | |||||
| CVE-2023-5540 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 8.8 HIGH |
| A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. | |||||
| CVE-2023-5548 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2023-12-10 | N/A | 5.4 MEDIUM |
| Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | |||||
| CVE-2023-5545 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| H5P metadata automatically populated the author with the user's username, which could be sensitive information. | |||||
| CVE-2023-5549 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. | |||||
| CVE-2022-40208 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 4.3 MEDIUM |
| In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. | |||||
| CVE-2022-45152 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-12-10 | N/A | 9.1 CRITICAL |
| A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks. | |||||
| CVE-2021-36397 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| In Moodle, insufficient capability checks meant message deletions were not limited to the current user. | |||||
| CVE-2021-36400 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | |||||
| CVE-2021-36399 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 5.4 MEDIUM |
| In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. | |||||
| CVE-2021-36403 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 5.3 MEDIUM |
| In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. | |||||
| CVE-2023-23922 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 6.1 MEDIUM |
| The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. | |||||
| CVE-2021-36393 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 9.8 CRITICAL |
| In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. | |||||
| CVE-2021-36395 | 1 Moodle | 1 Moodle | 2023-12-10 | N/A | 7.5 HIGH |
| In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | |||||