Filtered by vendor Moodle
Subscribe
Total
631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-4940 | 1 Moodle | 1 Moodle | 2026-04-16 | 5.0 MEDIUM | N/A |
| login/forgot_password.php in Moodle before 1.6.2 allows remote attackers to obtain sensitive information (e-mail addresses and Moodle account names) via a find action. | |||||
| CVE-2005-3648 | 1 Moodle | 1 Moodle | 2026-04-16 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php. | |||||
| CVE-2005-3649 | 1 Moodle | 1 Moodle | 2026-04-16 | 2.6 LOW | N/A |
| jumpto.php in Moodle 1.5.2 allows remote attackers to redirect users to other sites via the jump parameter. | |||||
| CVE-2006-4942 | 1 Moodle | 1 Moodle | 2026-04-16 | 4.6 MEDIUM | N/A |
| Moodle before 1.6.2, when the configuration lacks (1) algebra or (2) tex filters, allows remote authenticated users to write LaTeX or MimeTeX output files to the top level of the dataroot directory via (a) filter/algebra/pix.php or (b) filter/tex/pix.php. | |||||
| CVE-2006-0147 | 5 John Lim, Mantis, Moodle and 2 more | 5 Adodb, Mantis, Moodle and 2 more | 2026-04-16 | 7.5 HIGH | N/A |
| Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo. | |||||
| CVE-2006-0146 | 6 John Lim, Mantis, Mediabeez and 3 more | 6 Adodb, Mantis, Mediabeez and 3 more | 2026-04-16 | 7.5 HIGH | N/A |
| The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. | |||||
| CVE-2006-4943 | 1 Moodle | 1 Moodle | 2026-04-16 | 5.0 MEDIUM | N/A |
| course/jumpto.php in Moodle before 1.6.2 does not validate the session key (sesskey) before providing content from arbitrary local URIs, which allows remote attackers to obtain sensitive information via the jump parameter. | |||||
| CVE-2006-4785 | 1 Moodle | 1 Moodle | 2026-04-16 | 7.5 HIGH | N/A |
| SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls _adodb_column_sql in the adodb layer (lib/adodb/adodb-lib.inc.php), which does not convert the data type to an int. | |||||
| CVE-2004-2234 | 1 Moodle | 1 Moodle | 2026-04-16 | 7.5 HIGH | N/A |
| Unknown vulnerability in Moodle before 1.2 allows teachers to log in as administrators. | |||||
| CVE-2025-67847 | 1 Moodle | 1 Moodle | 2026-03-05 | N/A | 8.8 HIGH |
| A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. | |||||
| CVE-2021-47857 | 1 Moodle | 1 Moodle | 2026-03-05 | N/A | 7.2 HIGH |
| Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | |||||
| CVE-2025-67856 | 1 Moodle | 1 Moodle | 2026-02-26 | N/A | 5.4 MEDIUM |
| A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features. | |||||
| CVE-2026-26045 | 1 Moodle | 1 Moodle | 2026-02-26 | N/A | 7.2 HIGH |
| A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server. | |||||
| CVE-2026-26046 | 1 Moodle | 1 Moodle | 2026-02-26 | N/A | 7.2 HIGH |
| A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server. | |||||
| CVE-2026-26047 | 1 Moodle | 1 Moodle | 2026-02-26 | N/A | 6.5 MEDIUM |
| A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption. | |||||
| CVE-2025-67857 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 4.3 MEDIUM |
| A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure. | |||||
| CVE-2025-67855 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 5.4 MEDIUM |
| A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser. | |||||
| CVE-2025-67853 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 7.5 HIGH |
| A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | |||||
| CVE-2025-67852 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 3.5 LOW |
| A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure. | |||||
| CVE-2025-67851 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 6.1 MEDIUM |
| A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | |||||