CVSS: 3.5EPSS: 0%CPEs: 35EXPL: 0CVE-2015-3174
https://notcve.org/view.php?id=CVE-2015-3174
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. mod/quiz/db/access.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 no configura el bit RISK_XSS para graduadores, lo que permite a usuarios remotos autenticados realizar ataques de XSS a través de comentarios (feedback) manipulados del libro de notas durante la graduación manual de cuestionarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74719 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 29EXPL: 0CVE-2015-2266
https://notcve.org/view.php?id=CVE-2015-2266
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. message/index.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 no considera la capacidad moodle/site:readallmessages antes de acceder a conversaciones arbitrarias, lo que permite a usuarios remotos autenticados obtener información sensible sobre contactos personales y la cuenta de mensajes no leídos a través de una URL modificada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204 http://openwall.com/lists/oss-security/2015/03/16/1 https://moodle.org/mod/forum/discuss.php?d=307380 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 0%CPEs: 29EXPL: 0CVE-2015-2271
https://notcve.org/view.php?id=CVE-2015-2271
tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature. tag/user.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 no considera la capacidad moodle/tag:flag antes de proceder con una acción flaginappropriate, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso a través de la característica 'indicador como no apropiado (Flag as inappropriate)'. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084 http://openwall.com/lists/oss-security/2015/03/16/1 https://moodle.org/mod/forum/discuss.php?d=307385 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 22EXPL: 0CVE-2015-0215
https://notcve.org/view.php?id=CVE-2015-0215
calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. calendar/externallib.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.7, 2.7.x anterior a 2.7.4, y 2.8.x anterior a 2.8.2 permite a usuarios remotos autenticados obtener información sensible sobre eventos del calendario a través de una solicitud de los servicios web. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017 http://openwall.com/lists/oss-security/2015/01/19/1 https://moodle.org/mod/forum/discuss.php?d=278615 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 29EXPL: 0CVE-2015-2270
https://notcve.org/view.php?id=CVE-2015-2270
lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. lib/moodlelib.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4, cuando el tema utiliza la característica de regiones de bloques, establece el estado del curso en un punto incorrecto en el proceso de la validación del inicio de sesión, lo que permite a atacantes remotos obtener información sensible de cursos a través de vectores no especificados. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804 http://openwall.com/lists/oss-security/2015/03/16/1 https://moodle.org/mod/forum/discuss.php?d=307384 • CWE-17: DEPRECATED: Code •