CVSS: 5.4EPSS: 0%CPEs: 35EXPL: 0CVE-2015-3174
https://notcve.org/view.php?id=CVE-2015-3174
01 Jun 2015 — mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. mod/quiz/db/access.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 no configura el bit RISK_XSS para graduadores, lo que permite a usuarios remotos autenticado... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 22EXPL: 0CVE-2015-0212
https://notcve.org/view.php?id=CVE-2015-0212
01 Jun 2015 — Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. Vulnerabilidad de XSS en course/pending.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.7, 2.7.x anterior a 2.7.4, y 2.8.x anterior a 2.8.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de un resumen ... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2015-0213
https://notcve.org/view.php?id=CVE-2015-0213
01 Jun 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary module in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allow remote attackers to hijack the authentication of unspecified victims. Múltiples vulnerabilidades de CSRF en (1) editcategories.html y (2) editcategories.php en el módulo Glossary en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.7, 2.7.x anterior a 2.7.4, y 2.8.x anterior a 2.8.2 permite... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 29EXPL: 2CVE-2015-2269 – Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2269
17 Mar 2015 — Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. Múltiples vulnerabilidades de XSS en lib/javascript-static.js en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 permiten a usuarios remotos autenticados inyectar secuenci... • https://packetstorm.news/files/id/130865 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7836
https://notcve.org/view.php?id=CVE-2014-7836
24 Nov 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. Múltiples vulnerabilidades de CSRF en el módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permiten a atacantes remotos secuestr... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7848
https://notcve.org/view.php?id=CVE-2014-7848
24 Nov 2014 — lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. lib/phpunit/bootstrap.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 permite a atacantes remotos obtener información sensible a través de una solicitud directa, lo que revela la ruta completa en un mensaje de error. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-9060
https://notcve.org/view.php?id=CVE-2014-9060
24 Nov 2014 — The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php. El módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no restringe debidamente los parámetros utilizados en una URL de retorno, lo qu... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7831
https://notcve.org/view.php?id=CVE-2014-7831
24 Nov 2014 — lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. lib/classes/grades_external.php en Moodle 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/grade:viewhidden antes de mostrar notas escondidas, lo que permite a usuarios remotos autenticados obtener información... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7833
https://notcve.org/view.php?id=CVE-2014-7833
24 Nov 2014 — mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. mod/data/edit.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 configura cierto ID de grupo a cero cuando hay un cambio de entrada en la base de datos, lo que permit... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7834
https://notcve.org/view.php?id=CVE-2014-7834
24 Nov 2014 — mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. mod/forum/externallib.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no verifica permisos de grupos, lo que permite a usuarios remotos autenticados acceder a un foro a través del servicio web forum_get_discussions. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 • CWE-264: Permissions, Privileges, and Access Controls •