CVSS: 5.3EPSS: 0%CPEs: 33EXPL: 0CVE-2016-8644
https://notcve.org/view.php?id=CVE-2016-8644
20 Jan 2017 — In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context. En Moodle 2.x y 3.x, la capacidad de ver notas de curso se comprueba en el contexto incorrecto. • http://www.securityfocus.com/bid/94458 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2016-8643
https://notcve.org/view.php?id=CVE-2016-8643
20 Jan 2017 — In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services. En Moodle 2.x y 3.x, gestores del sitio no administradores podrían editar accidentalmente los administradores a través de los servicios web. • http://www.securityfocus.com/bid/94457 • CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 0%CPEs: 27EXPL: 0CVE-2016-5013
https://notcve.org/view.php?id=CVE-2016-5013
20 Jan 2017 — In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. En Moodle 2.x y 3.x, puede ocurrir inyección de texto en las cabeceras de email, conduciendo potencialmente a salida de spam. • http://www.securityfocus.com/bid/92040 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9187
https://notcve.org/view.php?id=CVE-2016-9187
04 Nov 2016 — Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. Vulnerabilidad de carga de archivos sin restricciones en el soporte de doble extensión en el módulo "imagen" en Moodle 3.1.2 permite a usuarios remotos autenticados ejecutar código arbitrario subiendo un archivo con una extensión ejecutable, y lu... • http://www.securityfocus.com/bid/94191 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9186
https://notcve.org/view.php?id=CVE-2016-9186
04 Nov 2016 — Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. Vulnerabilidad de carga de archivos sin restricciones en los módulos "archivos de curso legados" y "administrador de archivos" en Moodle 3.1.2 permite a usuarios remotos autenticados ejecutar código arbitrario subiendo un archivo con una extens... • http://www.securityfocus.com/bid/94190 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9188
https://notcve.org/view.php?id=CVE-2016-9188
04 Nov 2016 — Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters. Vulnerabilidades de XSS en Moodle CMS en o en versiones anteriores a 3.1.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros s_additionalhtmlhead, s_additionalhtmltopofbody y s_additionalhtmlfooter parameters. • http://www.securityfocus.com/bid/94189 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2016-7919
https://notcve.org/view.php?id=CVE-2016-7919
28 Oct 2016 — Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields. ** DISPUTADA ** Mo... • http://www.securityfocus.com/bid/93971 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 19EXPL: 0CVE-2016-2155
https://notcve.org/view.php?id=CVE-2016-2155
22 May 2016 — The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role. La funcionalidad grade-reporting en Singleview (también conocida como Single View) en Moodle 2.8.x en versiones anteriores a 2.8.11, 2.9.x en versiones anteriores a 2.9.5 y 3.0.x en versiones anteriores... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 33EXPL: 0CVE-2016-2152
https://notcve.org/view.php?id=CVE-2016-2152
22 May 2016 — Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field. Múltiples vulnerabilidades de XSS en auth/db/auth.php en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.13, 2.8.x en versiones anteriores a 2.8.11, 2.9.x en versiones anteriores a 2.9.5 y 3.0.x en versiones anter... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2016-2151
https://notcve.org/view.php?id=CVE-2016-2151
22 May 2016 — user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list. user/index.php en Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.13, 2.8.x en versiones anteriores a 2.8.11, 2.9.x en versione... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •