CVSS: 6.8EPSS: 0%CPEs: 118EXPL: 1CVE-2013-4524
https://notcve.org/view.php?id=CVE-2013-4524
26 Nov 2013 — Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path. Vulnerabilidad de recorrido de directorio en repository/filesystem/lib.php de Moodle hasta la versión 2.2.11, 2.3.x anterior a la 2.3.10, 2.4.x anterior a la versión 2.4.7, y 2.5.x anterior a 2.5.3 permite a usuarios remotos autenticados leer archivos arbitrarios a t... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 64%CPEs: 116EXPL: 4CVE-2013-3630 – Moodle Authenticated Spelling Binary RCE
https://notcve.org/view.php?id=CVE-2013-3630
30 Oct 2013 — Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. Moodle a través de 2.5.2 permite a los administradores remotos autenticados ejecutar programas arbitrarios mediante la configuración de la ruta aspell y luego desencadenar una operación de corrección ortográfica en el editor TinyMCE. • https://packetstorm.news/files/id/123853 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 29EXPL: 0CVE-2012-6087
https://notcve.org/view.php?id=CVE-2012-6087
16 Sep 2013 — repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. repository/s3/S3.php en Amazon S3 library en Moodle de la 2.2.11, 2.3.x anteri... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 29EXPL: 0CVE-2013-4313
https://notcve.org/view.php?id=CVE-2013-4313
16 Sep 2013 — Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. Moodle desde 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2 no previene el uso de caracteres "\0" en cadenas de busqueda lo que podría permitir a atacantes remotos dirigir un ataque de inyección SQL contra Microsoft... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 13%CPEs: 18EXPL: 3CVE-2013-4341 – Moodle Authenticated Spelling Binary RCE
https://notcve.org/view.php?id=CVE-2013-4341
16 Sep 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. Múltiples vulnerabilidades de XSS en Moodle de la versión 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un enlace al blog dentro de... • https://packetstorm.news/files/id/164479 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4941
https://notcve.org/view.php?id=CVE-2013-4941
26 Jul 2013 — Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. Vulnerabilidad de XSS en el uploader.swf en el componente Uploader en Yahoo! YUI 3.5.0 a la 3.9.1, utilizado en Moodle hasta la 2.1.10, 2.2.x anterior a 2.2.11, 2.3.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 50EXPL: 0CVE-2013-4942
https://notcve.org/view.php?id=CVE-2013-4942
26 Jul 2013 — Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. Vulnerabilidad de XSS en el flashuploader.swf en el componente Uploader en Yahoo! YUI 3.5.0 a la 3.9.1, utilizado en Moodle hasta la 2.1.10, 2.2.x anterior a 2.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 36EXPL: 0CVE-2013-2242
https://notcve.org/view.php?id=CVE-2013-2242
26 Jul 2013 — mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server. mod/chat/gui_sockets/index.php en Moodle desde 2.1.10, 2.2.x anterior a 2.2.11, 2.3.x anterior a 2.3.8, 2.4.x anterior a 2.4.5, y 2.5.x anterior a 2.5.1, no considera la ... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39628 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 36EXPL: 0CVE-2013-4938
https://notcve.org/view.php?id=CVE-2013-4938
26 Jul 2013 — The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values. La implementación deLTI (aka IMS-LTI) mod_form en Moodle hasta la 2.1.10, 2.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40308 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 36EXPL: 0CVE-2013-2245
https://notcve.org/view.php?id=CVE-2013-2245
26 Jul 2013 — rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. rss/file.php en Moodle a la 2.1.10, 2.2.x anterior a 2.2.11, 2.3.x anterior a 2.3.8, 2.4.x anterior a 2.4.5, y 2.5.x anterior a 2.5.1 no implementa adecuadamente el uso de los tokens RSS para suplantación, lo que permi... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37818 • CWE-287: Improper Authentication •