CVE-2018-1081
https://notcve.org/view.php?id=CVE-2018-1081
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. Se ha encontrado un error en Moodle 3.4 a 3.4.1, 3.3 a 3.3.4, 3.2 a 3.2.7 y 3.1 a 3.1.10, así como en versiones anteriores sin soporte. Los usuarios no autenticados pueden desencadenar mensajes personalizados para los administradores mediante un script de registro en paypal. • http://www.securityfocus.com/bid/103728 https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392 https://moodle.org/mod/forum/discuss.php?d=367938 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1044
https://notcve.org/view.php?id=CVE-2018-1044
In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings. En Moodle 3.x, los servicios quiz web permiten que los estudiantes vean los resultados de los tests cuando se les prohíbe hacerlo en las opciones. • http://www.securityfocus.com/bid/102754 https://moodle.org/mod/forum/discuss.php?d=364383 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-1045
https://notcve.org/view.php?id=CVE-2018-1045
In Moodle 3.x, there is XSS via a calendar event name. En Moodle 3.x, hay XSS mediante un nombre de evento de calendario. • http://www.securityfocus.com/bid/102755 https://moodle.org/mod/forum/discuss.php?d=364384 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1042 – Moodle Filepicker 3.5.2 - Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2018-1042
Moodle 3.x has Server Side Request Forgery in the filepicker. Moodle, en versiones 3.x, tiene Server Side Request Forgery en el filepicker. Moodle Filepicker version 3.5.2 suffers from a server-side request forgery vulnerability. • https://www.exploit-db.com/exploits/47177 https://github.com/UDPsycho/Moodle-CVE-2018-1042 http://packetstormsecurity.com/files/153766/Moodle-Filepicker-3.5.2-Server-Side-Request-Forgery.html http://www.securityfocus.com/bid/102752 https://moodle.org/mod/forum/discuss.php?d=364381 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2017-15110
https://notcve.org/view.php?id=CVE-2017-15110
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. En las versiones 3.x de Moodle, los estudiantes pueden averiguar las direcciones de correo electrónico de otros estudiantes en el mismo curso. Empleando la búsqueda en la página Participants, los estudiantes podrían buscar las direcciones de correo electrónico de todos los participantes, independientemente de la visibilidad del correo electrónico. • http://www.securityfocus.com/bid/101909 https://moodle.org/mod/forum/discuss.php?d=361784 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •