CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48897 – Moodle: idor in edit/delete rss feed
https://notcve.org/view.php?id=CVE-2024-48897
18 Nov 2024 — A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify. Se encontró una vulnerabilidad en Moodle. Se requieren verificaciones adicionales para garantizar que los usuarios solo puedan editar o eliminar los feeds RSS que tengan permiso para modificar. • https://bugzilla.redhat.com/show_bug.cgi?id=2318821 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43440 – Moodle: lfi vulnerability when restoring malformed block backups
https://notcve.org/view.php?id=CVE-2024-43440
07 Nov 2024 — A flaw was found in moodle. A local file may include risks when restoring block backups. • https://bugzilla.redhat.com/show_bug.cgi?id=2304269 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43438 – Moodle: idor in feedback non-respondents report allows messaging arbitrary site users
https://notcve.org/view.php?id=CVE-2024-43438
07 Nov 2024 — A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report. • https://bugzilla.redhat.com/show_bug.cgi?id=2304267 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43436 – Moodle: site administration sql injection via xmldb editor
https://notcve.org/view.php?id=CVE-2024-43436
07 Nov 2024 — A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators. • https://bugzilla.redhat.com/show_bug.cgi?id=2304264 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43434 – Moodle: csrf risk in feedback non-respondents report
https://notcve.org/view.php?id=CVE-2024-43434
07 Nov 2024 — The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability. • https://bugzilla.redhat.com/show_bug.cgi?id=2304262 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43431 – Moodle: idor in badges allows deletion of arbitrary badges
https://notcve.org/view.php?id=CVE-2024-43431
07 Nov 2024 — A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access. • https://bugzilla.redhat.com/show_bug.cgi?id=2304259 • CWE-862: Missing Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43428 – Moodle: cache poisoning via injection into storage
https://notcve.org/view.php?id=CVE-2024-43428
07 Nov 2024 — To address a cache poisoning risk in Moodle, additional validation for local storage was required. • https://bugzilla.redhat.com/show_bug.cgi?id=2304256 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43426 – Moodle: arbitrary file read risk through pdftex
https://notcve.org/view.php?id=CVE-2024-43426
07 Nov 2024 — A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed. • https://bugzilla.redhat.com/show_bug.cgi?id=2304254 • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 8.1EPSS: 85%CPEs: 1EXPL: 3CVE-2024-43425 – Moodle: remote code execution via calculated question types
https://notcve.org/view.php?id=CVE-2024-43425
07 Nov 2024 — A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions. • https://packetstorm.news/files/id/183003 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 2%CPEs: 2EXPL: 1CVE-2024-34312
https://notcve.org/view.php?id=CVE-2024-34312
24 Jun 2024 — Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js. • https://github.com/vincentscode/CVE-2024-34312 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •