CVSS: 5.4EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3553
https://notcve.org/view.php?id=CVE-2014-3553
29 Jul 2014 — mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. mod/forum/classes/post_form.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3549
https://notcve.org/view.php?id=CVE-2014-3549
29 Jul 2014 — Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.x before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted username that is improperly handled during the logging of an invalid login attempt. Vulnerabilidad de XSS en la función get_description en lib/classes/event/user_login_failed.php en Moodle 2.7.x anterior a 2.7.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitra... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3543
https://notcve.org/view.php?id=CVE-2014-3543
29 Jul 2014 — mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. mod/imscp/locallib.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 1%CPEs: 35EXPL: 6CVE-2014-3544 – Moodle 2.7 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3544
25 Jul 2014 — Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. Vulnerabilidad de XSS en user/profile.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a usuarios remotos autenticados inyectar secuencias de comandos w... • https://packetstorm.news/files/id/127624 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 64EXPL: 0CVE-2014-0214
https://notcve.org/view.php?id=CVE-2014-0214
27 May 2014 — login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack. login/token.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 crea un token de servicio web MoodleMobile con una vida infinita, lo que facilita a atacantes remotos secuestrar sesiones a través de un ... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 64EXPL: 0CVE-2014-0215
https://notcve.org/view.php?id=CVE-2014-0215
27 May 2014 — The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. La implementación de calificación a ciegas en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 permite a usuarios remotos autenticados revelar la identidad de estudiantes mediante (1) el uso de un lector de pantall... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 64EXPL: 0CVE-2014-0213
https://notcve.org/view.php?id=CVE-2014-0213
27 May 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests. Múltiples vulnerabilidades de CSRF en mod/assign/locallib.php en el subsistema Assignment en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 permiten a atacantes remotos ... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-0217
https://notcve.org/view.php?id=CVE-2014-0217
27 May 2014 — enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL. enrol/index.php en Moodle 2.6.x anterior a 2.6.3 no comprueba para la funcionalidad moodle/course:viewhiddencourses antes de listar cursos escondidos, lo que permite a atacantes remotos obtener información sensible... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 64EXPL: 0CVE-2014-0218
https://notcve.org/view.php?id=CVE-2014-0218
27 May 2014 — Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el repositorio de URL de descarga en repository/url/lib.php en Moodle hasta 2.3.11, 2.4.x hasta 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 permite a atacantes remotos inyectar secuencias de comand... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 64EXPL: 0CVE-2014-0216
https://notcve.org/view.php?id=CVE-2014-0216
27 May 2014 — The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. La implementación My Home en la función block_html_pluginfile en blocks/html/lib.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 no restringe debidament... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877 • CWE-264: Permissions, Privileges, and Access Controls •