CVSS: 3.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5551 – Moodle: forum summary report shows students from other groups when in separate groups mode
https://notcve.org/view.php?id=CVE-2023-5551
09 Nov 2023 — Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. Las restricciones del modo de grupos separados no se respetaron en el informe de resumen del foro, que mostraría usuarios de otros grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 1%CPEs: 7EXPL: 0CVE-2023-5550 – Moodle: rce due to lfi risk in some misconfigured shared hosting environments
https://notcve.org/view.php?id=CVE-2023-5550
09 Nov 2023 — In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. En un entorno de alojamiento compartido que ha sido mal configurado para permitir el acceso al contenido de otros usuarios, un usuario de Moodle que también tiene acceso directo al servidor web fuera del root web de Moodle podría utilizar un archivo loc... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5549 – Moodle: insufficient capability checks when updating the parent of a course category
https://notcve.org/view.php?id=CVE-2023-5549
09 Nov 2023 — Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Las comprobaciones insuficientes de la capacidad del servicio web hicieron posible mover categorías que un usuario tenía permiso para administrar a una categoría principal que no tenía la capacidad de administrar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5548 – Moodle: cache poisoning risk with endpoint revision numbers
https://notcve.org/view.php?id=CVE-2023-5548
09 Nov 2023 — Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Se requirieron limitaciones más estrictas en el número de revisiones en los endpoints de servicio de archivos para mejorar la protección contra el envenenamiento de la caché. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 • CWE-345: Insufficient Verification of Data Authenticity CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5545 – Moodle: auto-populated h5p author name causes a potential information leak
https://notcve.org/view.php?id=CVE-2023-5545
09 Nov 2023 — H5P metadata automatically populated the author with the user's username, which could be sensitive information. Los metadatos de H5P completaron automáticamente al autor con el nombre de usuario del usuario, que podría ser información confidencial. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5540 – Moodle: authenticated remote code execution risk in imscp
https://notcve.org/view.php?id=CVE-2023-5540
09 Nov 2023 — A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad IMSCP. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5539 – Moodle: authenticated remote code execution risk in lesson
https://notcve.org/view.php?id=CVE-2023-5539
09 Nov 2023 — A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad Lesson. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35132 – Moodle: minor sql injection risk on mnet sso access control page
https://notcve.org/view.php?id=CVE-2023-35132
22 Jun 2023 — A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214371 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
22 Jun 2023 — An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36392
https://notcve.org/view.php?id=CVE-2021-36392
06 Mar 2023 — In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. • https://moodle.org/mod/forum/discuss.php?d=424797 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •