CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7846
https://notcve.org/view.php?id=CVE-2014-7846
24 Nov 2014 — tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. tag/tag_autocomplete.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/tag:edit antes de añadir una etiqueta, lo que permite a usuarios remo... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7833
https://notcve.org/view.php?id=CVE-2014-7833
24 Nov 2014 — mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. mod/data/edit.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 configura cierto ID de grupo a cero cuando hay un cambio de entrada en la base de datos, lo que permit... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7831
https://notcve.org/view.php?id=CVE-2014-7831
24 Nov 2014 — lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. lib/classes/grades_external.php en Moodle 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/grade:viewhidden antes de mostrar notas escondidas, lo que permite a usuarios remotos autenticados obtener información... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7834
https://notcve.org/view.php?id=CVE-2014-7834
24 Nov 2014 — mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. mod/forum/externallib.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no verifica permisos de grupos, lo que permite a usuarios remotos autenticados acceder a un foro a través del servicio web forum_get_discussions. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7848
https://notcve.org/view.php?id=CVE-2014-7848
24 Nov 2014 — lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. lib/phpunit/bootstrap.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 permite a atacantes remotos obtener información sensible a través de una solicitud directa, lo que revela la ruta completa en un mensaje de error. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 0CVE-2014-9059
https://notcve.org/view.php?id=CVE-2014-9059
24 Nov 2014 — lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. lib/setup.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona información charset en cabeceras HTTP, lo que podría permitir a atacantes remotos realiza... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7838
https://notcve.org/view.php?id=CVE-2014-7838
24 Nov 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php. Múltiples vulnerabilidades de CSRF en el módulo Forum en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anteri... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7835
https://notcve.org/view.php?id=CVE-2014-7835
24 Nov 2014 — webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. webservice/upload.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no asegura que una subida de ficheros es para una área privada o de borrador, lo que permite a usuarios remotos... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7830
https://notcve.org/view.php?id=CVE-2014-7830
24 Nov 2014 — Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. Vulnerabilidad de XSS en mod/feedback/mapcourse.php en el módulo Feedback en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 0CVE-2014-3617
https://notcve.org/view.php?id=CVE-2014-3617
15 Sep 2014 — The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. La función forum_print_latest_discussions en mod/forum/lib.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.8, 2.6.x anter... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 • CWE-264: Permissions, Privileges, and Access Controls •