CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37674
https://notcve.org/view.php?id=CVE-2024-37674
20 Jun 2024 — Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity. Una vulnerabilidad de Cross Site Scripting en Moodle CMS v3.10 permite a un atacante remoto ejecutar código arbitrario a través del nombre de campo (parámetro de nombre) de una nueva actividad. • http://moodle.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38277 – moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
https://notcve.org/view.php?id=CVE-2024-38277
18 Jun 2024 — A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Se debe generar una clave única para la clave de inicio de sesión QR de un usuario y su clave de inicio de sesión automático, de modo que la misma clave no se pueda usar indistintamente entre las dos. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-324: Use of a Key Past its Expiration Date CWE-326: Inadequate Encryption Strength •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38276 – moodle: CSRF risks due to misuse of confirm_sesskey
https://notcve.org/view.php?id=CVE-2024-38276
18 Jun 2024 — Incorrect CSRF token checks resulted in multiple CSRF risks. Las comprobaciones incorrectas de tokens CSRF dieron lugar a múltiples riesgos de CSRF. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38275 – moodle: HTTP authorization header is preserved between "emulated redirects"
https://notcve.org/view.php?id=CVE-2024-38275
18 Jun 2024 — The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. El contenedor cURL en Moodle retuvo los encabezados de solicitud originales al seguir redirecciones, por lo que la información del encabezado de autorización HTTP podría enviarse involuntariamente en solicitudes para redireccionar URL. • https://moodle.org/mod/forum/discuss.php?d=459500 • CWE-226: Sensitive Information in Resource Not Removed Before Reuse •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38274 – moodle: stored XSS via calendar's event title when deleting the event
https://notcve.org/view.php?id=CVE-2024-38274
18 Jun 2024 — Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. El escape insuficiente de los títulos de los eventos del calendario resultó en un riesgo XSS almacenado en el mensaje de eliminación del evento. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38273 – moodle: BigBlueButton web service leaks meeting joining information to users who should not have access
https://notcve.org/view.php?id=CVE-2024-38273
18 Jun 2024 — Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. Las comprobaciones de capacidad insuficientes significaron que era posible que los usuarios obtuvieran acceso a las URL de unión de BigBlueButton a las que no tenían permiso para acceder. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34009 – moodle: ReCAPTCHA can be bypassed on the login page
https://notcve.org/view.php?id=CVE-2024-34009
31 May 2024 — Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. Las comprobaciones insuficientes de si ReCAPTCHA estaba habilitado hicieron posible eludir las comprobaciones en la página de inicio de sesión. Esto no afectó a otras páginas donde se utiliza ReCAPTCHA. • https://moodle.org/mod/forum/discuss.php?d=458398 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-34008 – moodle: CSRF risk in analytics management of models
https://notcve.org/view.php?id=CVE-2024-34008
31 May 2024 — Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. Las acciones en la gestión administrativa de los modelos de análisis no incluyeron el token necesario para prevenir un riesgo CSRF. • https://moodle.org/mod/forum/discuss.php?d=458397 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34005 – moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
https://notcve.org/view.php?id=CVE-2024-34005
31 May 2024 — In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include. En un entorno de alojamiento compartido que ha sido mal configurado para permitir el acceso al contenido de otros usuarios, un usuario de Moodle con acceso para restaurar los módulos de actividad de la base de datos y acceso directo al servi... • https://moodle.org/mod/forum/discuss.php?d=458394 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34003 – moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
https://notcve.org/view.php?id=CVE-2024-34003
31 May 2024 — In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include. En un entorno de alojamiento compartido que ha sido mal configurado para permitir el acceso al contenido de otros usuarios, un usuario de Moodle con acceso para restaurar módulos de taller y acceso directo al servidor web fuera de la raíz web de Mood... • https://moodle.org/mod/forum/discuss.php?d=458391 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •