Filtered by vendor Moodle
Subscribe
Total
631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2080 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report. | |||||
| CVE-2011-4305 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authenticated users to cause a denial of service (infinite request loop) via a URL that specifies a zero wait time for message refreshing. | |||||
| CVE-2012-5480 | 1 Moodle | 1 Moodle | 2026-04-29 | 6.4 MEDIUM | N/A |
| The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. | |||||
| CVE-2013-2243 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. | |||||
| CVE-2011-4280 | 2 Moodle, Nimish Pachapurkar | 2 Moodle, Spike Phpcoverage | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka spikephpcoverage) library, as used in Moodle 2.0.x before 2.0.2 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-1830 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2026-04-29 | 5.0 MEDIUM | N/A |
| user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. | |||||
| CVE-2012-6103 | 1 Moodle | 1 Moodle | 2026-04-29 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages. | |||||
| CVE-2010-1617 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. | |||||
| CVE-2013-4522 | 1 Moodle | 1 Moodle | 2026-04-29 | 5.0 MEDIUM | N/A |
| lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server. | |||||
| CVE-2012-3388 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. | |||||
| CVE-2011-4586 | 1 Moodle | 1 Moodle | 2026-04-29 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | |||||
| CVE-2011-4307 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the section parameter. | |||||
| CVE-2012-5472 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field. | |||||
| CVE-2011-4285 | 1 Moodle | 1 Moodle | 2026-04-29 | 5.5 MEDIUM | N/A |
| The default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role. | |||||
| CVE-2012-0799 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.3 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page. | |||||
| CVE-2012-0794 | 1 Moodle | 1 Moodle | 2026-04-29 | 5.0 MEDIUM | N/A |
| The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution. | |||||
| CVE-2011-4289 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page. | |||||
| CVE-2013-5674 | 1 Moodle | 1 Moodle | 2026-04-29 | 7.5 HIGH | N/A |
| badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. | |||||
| CVE-2012-2363 | 1 Moodle | 1 Moodle | 2026-04-29 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event. | |||||
| CVE-2012-3387 | 1 Moodle | 1 Moodle | 2026-04-29 | 4.0 MEDIUM | N/A |
| Moodle 2.3.x before 2.3.1 uses only a client-side check for whether references are permitted in a file upload, which allows remote authenticated users to bypass intended alias (aka shortcut) restrictions via a client that omits this check. | |||||