CVSS: 6.8EPSS: 0%CPEs: 118EXPL: 1CVE-2013-4524
https://notcve.org/view.php?id=CVE-2013-4524
26 Nov 2013 — Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path. Vulnerabilidad de recorrido de directorio en repository/filesystem/lib.php de Moodle hasta la versión 2.2.11, 2.3.x anterior a la 2.3.10, 2.4.x anterior a la versión 2.4.7, y 2.5.x anterior a 2.5.3 permite a usuarios remotos autenticados leer archivos arbitrarios a t... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 64%CPEs: 116EXPL: 4CVE-2013-3630 – Moodle - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-3630
30 Oct 2013 — Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. Moodle a través de 2.5.2 permite a los administradores remotos autenticados ejecutar programas arbitrarios mediante la configuración de la ruta aspell y luego desencadenar una operación de corrección ortográfica en el editor TinyMCE. • https://packetstorm.news/files/id/123853 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 29EXPL: 0CVE-2012-6087
https://notcve.org/view.php?id=CVE-2012-6087
16 Sep 2013 — repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. repository/s3/S3.php en Amazon S3 library en Moodle de la 2.2.11, 2.3.x anteri... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 29EXPL: 0CVE-2013-4313
https://notcve.org/view.php?id=CVE-2013-4313
16 Sep 2013 — Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. Moodle desde 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2 no previene el uso de caracteres "\0" en cadenas de busqueda lo que podría permitir a atacantes remotos dirigir un ataque de inyección SQL contra Microsoft... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 13%CPEs: 18EXPL: 3CVE-2013-4341 – Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-4341
16 Sep 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. Múltiples vulnerabilidades de XSS en Moodle de la versión 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un enlace al blog dentro de... • https://packetstorm.news/files/id/164479 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-2244
https://notcve.org/view.php?id=CVE-2013-2244
26 Jul 2013 — Multiple cross-site scripting (XSS) vulnerabilities in lib/conditionlib.php in Moodle 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the conditional access rule value of a user field. Multiples vulnerabilidades XSS en lib/conditionlib.php en Moodle 2.4.x anterior a 2.4.5, y 2.5.x anterior a 2.5.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del valor de la regla condicional de acceso de un campo de... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37516 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4941
https://notcve.org/view.php?id=CVE-2013-4941
26 Jul 2013 — Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. Vulnerabilidad de XSS en el uploader.swf en el componente Uploader en Yahoo! YUI 3.5.0 a la 3.9.1, utilizado en Moodle hasta la 2.1.10, 2.2.x anterior a 2.2.11, 2.3.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 50EXPL: 0CVE-2013-4942
https://notcve.org/view.php?id=CVE-2013-4942
26 Jul 2013 — Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. Vulnerabilidad de XSS en el flashuploader.swf en el componente Uploader en Yahoo! YUI 3.5.0 a la 3.9.1, utilizado en Moodle hasta la 2.1.10, 2.2.x anterior a 2.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 36EXPL: 0CVE-2013-2245
https://notcve.org/view.php?id=CVE-2013-2245
26 Jul 2013 — rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. rss/file.php en Moodle a la 2.1.10, 2.2.x anterior a 2.2.11, 2.3.x anterior a 2.3.8, 2.4.x anterior a 2.4.5, y 2.5.x anterior a 2.5.1 no implementa adecuadamente el uso de los tokens RSS para suplantación, lo que permi... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37818 • CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4940
https://notcve.org/view.php?id=CVE-2013-4940
26 Jul 2013 — Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression. Vulnerabilidad de XSS en el io.swf en el componente IO Utility en Yahoo! YUI 3.10.2 a la 3.9.1, utilizado en Mo... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •