CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2012-3388
https://notcve.org/view.php?id=CVE-2012-3388
23 Jul 2012 — The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. La función is_enrolled en lib/accesslib.php en Moodle v2.2.x anteriores a v2.2.4 y v2.3.x anteriores a v2.3.1 no interactúa de forma adecuada con la característica de cacheado, lo qe podría permitir a usuarios remo... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33916 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2012-3390
https://notcve.org/view.php?id=CVE-2012-3390
23 Jul 2012 — lib/filelib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly restrict file access after a block has been hidden, which allows remote authenticated users to obtain sensitive information by reading a file that is embedded in a block. lib/filelib.php en Moodle v2.1.x anteriores a v2.1.7 y v2.2.x anteriores a v2.2.4 no restringe de forma adecuada el fichero a un fichero después de que un bloque se haya ocultado, lo que permite a usuarios autenticados remotos a obtener información sensib... • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=c58c05ad4f22c6ee1e136a7d4caaddd809a7134d • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-3392
https://notcve.org/view.php?id=CVE-2012-3392
23 Jul 2012 — mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not consider whether a forum is optional, which allows remote authenticated users to bypass forum-subscription requirements by leveraging the student role and unsubscribing from all forums. mod/forum/unsubscribeall.php en Moodle v2.1.x anteriores a v2.1.7 y v2.2.x anteriores a v2.2.4 no tiene en cuenta si un foro es opcional, lo que permite a usuarios remotos autenticados eludir los requisitos de suscripción foro, aprovech... • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-31460 • CWE-16: Configuration •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3387
https://notcve.org/view.php?id=CVE-2012-3387
23 Jul 2012 — Moodle 2.3.x before 2.3.1 uses only a client-side check for whether references are permitted in a file upload, which allows remote authenticated users to bypass intended alias (aka shortcut) restrictions via a client that omits this check. Moodle v2.3.x anteriores a v2.3.1 usa solo un control del lado del cliente utiliza sólo una comprobación del lado del cliente para saber si las referencias están permitidas en un archivo subido, lo que permite a usuarios remotos autenticados omitir las restricciones de al... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33948 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 22EXPL: 0CVE-2012-3397
https://notcve.org/view.php?id=CVE-2012-3397
23 Jul 2012 — lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. lib/modinfolib.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteiores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a ... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33466 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2012-3394
https://notcve.org/view.php?id=CVE-2012-3394
23 Jul 2012 — auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. auth/ldap/ntlmsso_attempt.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 redirecciona usuarios desde una dirección URL HTTPS de login LDAP, lo que permite atac... • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 21EXPL: 0CVE-2012-3395
https://notcve.org/view.php?id=CVE-2012-3395
23 Jul 2012 — SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. Vulnerabilidad de inyección SQL en mod/feedback/complete.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, y v2.2.x anteriores a v2.2.4, permite a atacantes remotos ejecutar comandos SQL de su elección a través de un formulario de datos modificado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7&st=commit&s=MDL-27675 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 11EXPL: 0CVE-2012-3391
https://notcve.org/view.php?id=CVE-2012-3391
23 Jul 2012 — mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly implement the requirement for posting before reading a Q&A forum, which allows remote authenticated users to bypass intended access restrictions by leveraging the student role and reading the RSS feed for a forum. mod/forum/rsslib.php en Moodle v2.1.x anteriores a v2.1.7 y v2.2.x anteriores a v2.2.4 no implementan de forma adecuada el requisito para escribir un post, después de leer un foro Q&A, lo que permite a usuar... • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-32199 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.8EPSS: 0%CPEs: 22EXPL: 0CVE-2012-3396
https://notcve.org/view.php?id=CVE-2012-3396
23 Jul 2012 — Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en cohort/edit_form.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34045 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 18EXPL: 0CVE-2012-2364
https://notcve.org/view.php?id=CVE-2012-2364
21 Jul 2012 — Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en lib/filelib.php en Moodle v2.0.x antgeriores a v2.0.9, v2.1.x anteriores v2.1.6, y v2.2.x anteriores a v2.2.3 ... • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •