CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26530 – Reflected XSS via question bank filter
https://notcve.org/view.php?id=CVE-2025-26530
24 Feb 2025 — The question bank filter required additional sanitizing to prevent a reflected XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 3CVE-2025-26529 – Stored XSS risk in admin live log
https://notcve.org/view.php?id=CVE-2025-26529
24 Feb 2025 — Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. • https://github.com/NightBloodz/moodleTestingEnv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26528 – Stored XSS in ddimageortext question type
https://notcve.org/view.php?id=CVE-2025-26528
24 Feb 2025 — The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26527 – Non-searchable tags can still be discovered on the tag search page and in the tags block
https://notcve.org/view.php?id=CVE-2025-26527
24 Feb 2025 — Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941 • CWE-1230: Exposure of Sensitive Information Through Metadata •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26526 – Feedback response viewing and deletions did not respect Separate Groups mode
https://notcve.org/view.php?id=CVE-2025-26526
24 Feb 2025 — Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 • CWE-863: Incorrect Authorization •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26525 – Arbitrary file read risk through pdfTeX
https://notcve.org/view.php?id=CVE-2025-26525
24 Feb 2025 — Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). • https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48898 – Moodle: some users can delete audiences of other reports
https://notcve.org/view.php?id=CVE-2024-48898
18 Nov 2024 — A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from. Se encontró una vulnerabilidad en Moodle. Los usuarios con acceso para eliminar audiencias de los informes podrían eliminar audiencias de otros informes para los que no tienen permiso de eliminación. • https://bugzilla.redhat.com/show_bug.cgi?id=2318820 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48897 – Moodle: idor in edit/delete rss feed
https://notcve.org/view.php?id=CVE-2024-48897
18 Nov 2024 — A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify. Se encontró una vulnerabilidad en Moodle. Se requieren verificaciones adicionales para garantizar que los usuarios solo puedan editar o eliminar los feeds RSS que tengan permiso para modificar. • https://bugzilla.redhat.com/show_bug.cgi?id=2318821 • CWE-285: Improper Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48900 – Moodle: idor when accessing list of badge recipients
https://notcve.org/view.php?id=CVE-2024-48900
13 Nov 2024 — A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to. • https://bugzilla.redhat.com/show_bug.cgi?id=2318818 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43435 – Moodle: can create global glossary without being admin
https://notcve.org/view.php?id=CVE-2024-43435
11 Nov 2024 — A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary. • https://bugzilla.redhat.com/show_bug.cgi?id=2304263 • CWE-754: Improper Check for Unusual or Exceptional Conditions •