CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5549 – Moodle: insufficient capability checks when updating the parent of a course category
https://notcve.org/view.php?id=CVE-2023-5549
09 Nov 2023 — Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Las comprobaciones insuficientes de la capacidad del servicio web hicieron posible mover categorías que un usuario tenía permiso para administrar a una categoría principal que no tenía la capacidad de administrar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5548 – Moodle: cache poisoning risk with endpoint revision numbers
https://notcve.org/view.php?id=CVE-2023-5548
09 Nov 2023 — Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Se requirieron limitaciones más estrictas en el número de revisiones en los endpoints de servicio de archivos para mejorar la protección contra el envenenamiento de la caché. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 • CWE-345: Insufficient Verification of Data Authenticity CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVSS: 6.4EPSS: 0%CPEs: 9EXPL: 0CVE-2023-5547 – Moodle: xss risk when previewing data in course upload tool
https://notcve.org/view.php?id=CVE-2023-5547
09 Nov 2023 — The course upload preview contained an XSS risk for users uploading unsafe data. La vista previa de la carga del curso contenía un riesgo XSS para los usuarios que cargaban datos no seguros. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79455 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 1%CPEs: 7EXPL: 1CVE-2023-5546 – Moodle: stored xss in quiz grading report via user id number
https://notcve.org/view.php?id=CVE-2023-5546
09 Nov 2023 — ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Los números de identificación que se muestran en el informe de calificación del cuestionario requirieron una sanitización adicional para evitar un riesgo de XSS almacenado. • https://github.com/obelia01/CVE-2023-5546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5545 – Moodle: auto-populated h5p author name causes a potential information leak
https://notcve.org/view.php?id=CVE-2023-5545
09 Nov 2023 — H5P metadata automatically populated the author with the user's username, which could be sensitive information. Los metadatos de H5P completaron automáticamente al autor con el nombre de usuario del usuario, que podría ser información confidencial. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-5544 – Moodle: stored xss and potential idor risk in wiki comments
https://notcve.org/view.php?id=CVE-2023-5544
09 Nov 2023 — Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. Los comentarios de Wiki requirieron restricciones de acceso y sanitización adicionales para evitar un riesgo XSS almacenado y un riesgo potencial de IDOR. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5542 – Moodle: students can view other users in "only see own membership" groups
https://notcve.org/view.php?id=CVE-2023-5542
09 Nov 2023 — Students in "Only see own membership" groups could see other students in the group, which should be hidden. Los estudiantes en los grupos "Ver solo su propia membresía" podrían ver a otros estudiantes en el grupo, que deberían estar ocultos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5540 – Moodle: authenticated remote code execution risk in imscp
https://notcve.org/view.php?id=CVE-2023-5540
09 Nov 2023 — A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad IMSCP. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2023-39198 – Kernel: qxl: race condition leading to use-after-free in qxl_mode_dumb_create()
https://notcve.org/view.php?id=CVE-2023-39198
09 Nov 2023 — A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. Se encontró una condición de ejecución en el controlador QXL del kernel de Linux. La función qxl_mode_dumb_cr... • https://access.redhat.com/errata/RHSA-2024:2394 • CWE-416: Use After Free •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5539 – Moodle: authenticated remote code execution risk in lesson
https://notcve.org/view.php?id=CVE-2023-5539
09 Nov 2023 — A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad Lesson. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408 • CWE-94: Improper Control of Generation of Code ('Code Injection') •