CVSS: 4.3EPSS: 0%CPEs: 31EXPL: 0CVE-2016-0724
https://notcve.org/view.php?id=CVE-2016-0724
The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request. Los servicios web (1) core_enrol_get_course_enrolment_methods y (2) enrol_self_get_instance_info en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.12, 2.8.x en versiones anteriores a 2.8.10, 2.9.x en versiones anteriores a 2.9.4 y 3.0.x en versiones anteriores a 3.0.2 no consideran la capacidad moodle/course:viewhiddencourses, lo que permite a usuarios remotos autenticados obtener información sensible a través de una petición a servicio web. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176502.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176436.html http://www.openwall.com/lists/oss-security/2016/01/18/1 http://www.securitytracker.com/id/1034694 https://moodle.org/mod/forum/discuss.php?d=326205 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2015-5341
https://notcve.org/view.php?id=CVE-2015-5341
mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors. mod_scorm en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.11, 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 no maneja adecuadamente la disponibilidad de fechas, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y leer contenidos SCORM a través de vectores no especificados. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837 https://moodle.org/mod/forum/discuss.php?d=323236 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 21EXPL: 0CVE-2015-5265
https://notcve.org/view.php?id=CVE-2015-5265
The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor. El componente wiki en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.10, 2.8.x en versiones anteriores a 2.8.8 y 2.9.x en versiones anteriores a 2.9.2 no considera la capacidad mod/wiki:managefiles antes de autorizar la administración de archivos, lo que permite a usuarios remotos autenticados eliminar archivos arbitrarios mediante el uso de un botón manage-files en un editor de texto. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371 http://www.openwall.com/lists/oss-security/2015/09/21/1 http://www.securitytracker.com/id/1033619 https://moodle.org/mod/forum/discuss.php?d=320289 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2015-5340
https://notcve.org/view.php?id=CVE-2015-5340
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php. Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.11, 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 no considera la capacidad moodle/badges:viewbadges, lo que permite a usuarios remotos autenticados obtener información sensible de distintivo a través de una petición que involucra (1) badges/overview.php o (2) badges/view.php. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684 https://moodle.org/mod/forum/discuss.php?d=323235 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 24EXPL: 0CVE-2015-5336
https://notcve.org/view.php?id=CVE-2015-5336
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer. Múltiples vulnerabilidades de XSS en el módulo survey en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.11, 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios aprovechando el rol estudiante e introduciendo una respuesta de encuesta manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940 https://moodle.org/mod/forum/discuss.php?d=323231 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •