CVE-2022-30597
https://notcve.org/view.php?id=CVE-2022-30597
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. Se detectó un fallo en moodle por el que el campo de usuario descripción no era ocultado cuando era configurado como campo de usuario oculto • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74318 https://bugzilla.redhat.com/show_bug.cgi?id=2083585 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGF35EN5K2R6X3NTY3XPZSJ3UDASMXI6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PIMSIRKCFLIC646K4GMUSZU7THOUVPAJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCTWSE3JDMSYL7DPCMXMMJEXZSS6VIA5 https://moodle.org/mod/foru • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVE-2022-30596
https://notcve.org/view.php?id=CVE-2022-30596
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk. Se ha encontrado un fallo en moodle donde los números de identificación mostrados cuando son asignan marcadores de forma masiva a las asignaciones requerían un saneo adicional para prevenir un riesgo de ataque de tipo XSS almacenado • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74204 https://bugzilla.redhat.com/show_bug.cgi?id=2083583 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGF35EN5K2R6X3NTY3XPZSJ3UDASMXI6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PIMSIRKCFLIC646K4GMUSZU7THOUVPAJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCTWSE3JDMSYL7DPCMXMMJEXZSS6VIA5 https://moodle.org/mod/foru • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-0984
https://notcve.org/view.php?id=CVE-2022-0984
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. Los usuarios con capacidad para configurar los criterios de las insignias (profesores y administradores por defecto) podían configurar las insignias del curso con los criterios del campo de perfil, que sólo deberían estar disponibles para las insignias del sitio • https://bugzilla.redhat.com/show_bug.cgi?id=2064118 • CWE-863: Incorrect Authorization •
CVE-2022-0985
https://notcve.org/view.php?id=CVE-2022-0985
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. Las comprobaciones de capacidad insuficientes podrían permitir a usuarios con la capacidad moodle/site:uploadusers eliminar usuarios, sin tener la capacidad moodle/user:delete necesaria • https://bugzilla.redhat.com/show_bug.cgi?id=2064117 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVE-2022-0983
https://notcve.org/view.php?id=CVE-2022-0983
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. Se identificó un riesgo de inyección SQL en el código deBadges relacionado con la configuración de criterios. El acceso a la capacidad correspondiente estaba limitado por defecto a los profesores y administradores • https://bugzilla.redhat.com/show_bug.cgi?id=2064119 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4GRMWBGHOJMFXMTORECQNULJK7ZJJ6Y • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •