CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-5544 – Moodle: stored xss and potential idor risk in wiki comments
https://notcve.org/view.php?id=CVE-2023-5544
09 Nov 2023 — Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. Los comentarios de Wiki requirieron restricciones de acceso y sanitización adicionales para evitar un riesgo XSS almacenado y un riesgo potencial de IDOR. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2023-5541 – Moodle: xss risk when using csv grade import method
https://notcve.org/view.php?id=CVE-2023-5541
09 Nov 2023 — The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. El método de importación de calificaciones CSV contenía un riesgo XSS para los usuarios que importaban la hoja de cálculo, si contenía contenido no seguro. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79426 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5540 – Moodle: authenticated remote code execution risk in imscp
https://notcve.org/view.php?id=CVE-2023-5540
09 Nov 2023 — A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad IMSCP. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 5%CPEs: 7EXPL: 0CVE-2023-5539 – Moodle: authenticated remote code execution risk in lesson
https://notcve.org/view.php?id=CVE-2023-5539
09 Nov 2023 — A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad Lesson. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35131 – Moodle: xss risk on groups page
https://notcve.org/view.php?id=CVE-2023-35131
22 Jun 2023 — Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. • https://bugzilla.redhat.com/show_bug.cgi?id=2214369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35132 – Moodle: minor sql injection risk on mnet sso access control page
https://notcve.org/view.php?id=CVE-2023-35132
22 Jun 2023 — A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214371 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
22 Jun 2023 — An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2023-30944 – Moodle: minor sql injection risk in external wiki method for listing pages
https://notcve.org/view.php?id=CVE-2023-30944
02 May 2023 — The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40208
https://notcve.org/view.php?id=CVE-2022-40208
24 Mar 2023 — In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. • https://moodle.org/mod/forum/discuss.php?d=438761 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 1%CPEs: 8EXPL: 0CVE-2023-28329 – Moodle: authenticated sql injection via availability check
https://notcve.org/view.php?id=CVE-2023-28329
23 Mar 2023 — Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). • https://bugzilla.redhat.com/show_bug.cgi?id=2179406 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •