CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25698
https://notcve.org/view.php?id=CVE-2020-25698
19 Nov 2020 — Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Unas capacidades de inscripción de los usuarios no estaban suficientemente comprobadas en Moodle cuando son restauradas en un curso existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1895419 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25699
https://notcve.org/view.php?id=CVE-2020-25699
19 Nov 2020 — In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, las comprobaciones insuficientes de capacidad podrían conllevar a usuarios con una capacidad de restaurar el curso agregar capacidades adicionales a los roles dentro de ese... • https://bugzilla.redhat.com/show_bug.cgi?id=1895425 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10738
https://notcve.org/view.php?id=CVE-2020-10738
21 May 2020 — A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution. Se encontró un fallo en Moodle versiones 3.8 anteriores a la versión 3.8.3, versiones 3.7 anteriores a 3.7.6, versiones 3.6 anteriores a 3.6.10, versiones 3.5 anteriores a 3.5.12 y versiones anter... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14880
https://notcve.org/view.php?id=CVE-2019-14880
31 Mar 2020 — A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.7.3, versiones 3.6 anteriores a 3.6.7, versiones 3.5 anteriores a 3.5.9. Los proveedores de OAuth 2 quienes no verifican los cambios en la dirección de correo electrónico de los ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14880 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14881
https://notcve.org/view.php?id=CVE-2019-14881
18 Mar 2020 — A vulnerability was found in moodle 3.7 before 3.7.3, where there is blind XSS reflected in some locations where user email is displayed. Se detectó una vulnerabilidad en moodle versión 3.7 en versiones anteriores a la 3.7.3, donde se presenta un ataque de tipo XSS reflejado ciego en algunas ubicaciones donde el correo electrónico del usuario es mostrado. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14881 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14884
https://notcve.org/view.php?id=CVE-2019-14884
18 Mar 2020 — A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.73, versiones 3.6 anteriores a 3.6.7 y versiones 3.5 anteriores a 3.5.9, donde es posible un ataque de tipo XSS reflejado a partir de algunos mensajes de error fatales. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14883
https://notcve.org/view.php?id=CVE-2019-14883
18 Mar 2020 — A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token. Se detectó una vulnerabilidad en Moodle versiones 3.6 anteriores a 3.6.7 y versiones 3.7 anteriores a 3.7.3, donde los tokens usados para extraer archivos adjuntos en línea en notificaciones de correo electrónico no se desacti... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14883 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14882
https://notcve.org/view.php?id=CVE-2019-14882
18 Mar 2020 — A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. Se detectó una vulnerabilidad en Moodle versiones 3.7 hasta 3.7.3, versiones 3.6 hasta 3.6.7, versiones 3.5 hasta 3.5.9 y anteriores, donde se presentaba un redireccionamiento abierto en la página de edición Lesson. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14882 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1692
https://notcve.org/view.php?id=CVE-2020-1692
17 Feb 2020 — Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. Moodle versiones anteriores a 3.7.2, es vulnerable a una exposición de información de los tokens de servicio para los usuarios inscritos en el mismo curso. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1692 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18210
https://notcve.org/view.php?id=CVE-2019-18210
11 Feb 2020 — Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Bec... • https://docs.moodle.org/38/en/Teacher_role • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •