CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7834
https://notcve.org/view.php?id=CVE-2014-7834
24 Nov 2014 — mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. mod/forum/externallib.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no verifica permisos de grupos, lo que permite a usuarios remotos autenticados acceder a un foro a través del servicio web forum_get_discussions. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7835
https://notcve.org/view.php?id=CVE-2014-7835
24 Nov 2014 — webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. webservice/upload.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no asegura que una subida de ficheros es para una área privada o de borrador, lo que permite a usuarios remotos... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7836
https://notcve.org/view.php?id=CVE-2014-7836
24 Nov 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. Múltiples vulnerabilidades de CSRF en el módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permiten a atacantes remotos secuestr... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7837
https://notcve.org/view.php?id=CVE-2014-7837
24 Nov 2014 — mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki. mod/wiki/admin.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permite a usuarios remotos autenticados eliminar páginas wiki mediante el aprovechamiento del acceso a eliminación dentro de un subwiki diferente. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7838
https://notcve.org/view.php?id=CVE-2014-7838
24 Nov 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php. Múltiples vulnerabilidades de CSRF en el módulo Forum en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anteri... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7845
https://notcve.org/view.php?id=CVE-2014-7845
24 Nov 2014 — The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. La función generate_password en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona un número suficiente de contraseñas temporales posibles, lo que permite a atacantes remotos obtener el acces... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050 • CWE-255: Credentials Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7846
https://notcve.org/view.php?id=CVE-2014-7846
24 Nov 2014 — tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. tag/tag_autocomplete.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/tag:edit antes de añadir una etiqueta, lo que permite a usuarios remo... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7847
https://notcve.org/view.php?id=CVE-2014-7847
24 Nov 2014 — iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. iplookup/index.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permite a atacantes remotos causar una denegación de servicio (consumo de recursos) mediante la provocación del cálculo de u... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321 • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7848
https://notcve.org/view.php?id=CVE-2014-7848
24 Nov 2014 — lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. lib/phpunit/bootstrap.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 permite a atacantes remotos obtener información sensible a través de una solicitud directa, lo que revela la ruta completa en un mensaje de error. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 0CVE-2014-3617
https://notcve.org/view.php?id=CVE-2014-3617
15 Sep 2014 — The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. La función forum_print_latest_discussions en mod/forum/lib.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.8, 2.6.x anter... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 • CWE-264: Permissions, Privileges, and Access Controls •