CVE-2020-1754
https://notcve.org/view.php?id=CVE-2020-1754
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups. En Moodle versiones anteriores a 3.8.2, 3.7.5, 3.6.9 y 3.5.11, los usuarios visualizando el informe del historial de calificaciones sin la capacidad de "access all groups" no estaban restringidos a visualizar las calificaciones de usuarios de sus propios grupos • https://moodle.org/mod/forum/discuss.php?d=398350 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2020-1691
https://notcve.org/view.php?id=CVE-2020-1691
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting. En Moodle versión 3.8, los mensajes requerían un saneo extra antes de actualizar el resumen de la conversación, para prevenir el riesgo de tipo cross-site scripting almacenado • https://moodle.org/mod/forum/discuss.php?d=395953 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-35653
https://notcve.org/view.php?id=CVE-2022-35653
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users. Se ha identificado un problema de tipo XSS reflejado en el módulo LTI de Moodle. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299 https://bugzilla.redhat.com/show_bug.cgi?id=2106277 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V https://moodle.org/mod/forum/discuss.php?d=436460 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-35652
https://notcve.org/view.php?id=CVE-2022-35652
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information. Se ha encontrado un problema de redireccionamiento abierto en Moodle debido a un saneamiento inapropiado de los datos suministrados por el usuario en la función de auto-inicio de sesión móvil. Un atacante remoto puede crear un enlace que conlleva a un sitio web confiable, sin embargo, cuando hace clic, redirige a las víctimas a una URL/dominio arbitrario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171 https://bugzilla.redhat.com/show_bug.cgi?id=2106276 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V https://moodle.org/mod/forum/discuss.php?d=436459 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-35651
https://notcve.org/view.php?id=CVE-2022-35651
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. Se encontró una vulnerabilidad de tipo XSS almacenado y SSRF ciego en Moodle, es producido debido a un saneamiento insuficiente de los datos suministrados por el usuario en los detalles de la pista SCORM. Un atacante remoto puede engañar a la víctima para que siga un enlace especialmente diseñado y ejecutar código HTML y script arbitrario en el navegador del usuario en el contexto del sitio web vulnerable para robar información potencialmente confidencial, cambiar la apariencia de la página web, puede llevar a cabo ataques de phishing y drive-by-download • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921 https://bugzilla.redhat.com/show_bug.cgi?id=2106275 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V https://moodle.org/mod/forum/discuss.php?d=436458 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •