CVSS: 7.1EPSS: 0%CPEs: 12EXPL: 0CVE-2015-5332
https://notcve.org/view.php?id=CVE-2015-5332
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature. Atto en Moodle 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 permite a atacantes remotos causar una denegación de servicio (consumo de disco) aprovechando el rol invitado e introduciendo borradores con la funcionalidad editor-autosave. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000 https://moodle.org/mod/forum/discuss.php?d=323229 • CWE-399: Resource Management Errors •
CVSS: 6.1EPSS: 0%CPEs: 24EXPL: 0CVE-2015-5337
https://notcve.org/view.php?id=CVE-2015-5337
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.11, 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 no restringe adecuadamente la disponibilidad de Flowplayer, lo que permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) a través de un archivo .swf manipulado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085 https://moodle.org/mod/forum/discuss.php?d=323232 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 0CVE-2016-0725
https://notcve.org/view.php?id=CVE-2016-0725
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string. Vulnerabilidad de XSS en la función search_pagination en course/classes/management_renderer.php en Moodle 2.8.x en versiones anteriores a 2.8.10, 2.9.x en versiones anteriores a 2.9.4 y 3.0.x en versiones anteriores a 3.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una cadena de búsqueda manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176502.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176436.html http://www.openwall.com/lists/oss-security/2016/01/18/1 http://www.securitytracker.com/id/1034694 https://moodle.org/mod/forum/discuss.php?d=326206 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 22EXPL: 0CVE-2015-0211
https://notcve.org/view.php?id=CVE-2015-0211
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service. mod/lti/ajax.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.7, 2.7.x anterior a 2.7.4, y 2.8.x anterior a 2.8.2 no considera las capacidades moodle/course:manageactivities y mod/lti:addinstance antes de proceder con búsquedas de listas de herramientas registradas, lo que permite a usuarios remotos autenticados obtener información sensible a través de solicitudes al servicio LTI Ajax. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920 http://openwall.com/lists/oss-security/2015/01/19/1 https://moodle.org/mod/forum/discuss.php?d=278611 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2015-0212
https://notcve.org/view.php?id=CVE-2015-0212
Cross-site scripting (XSS) vulnerability in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted course summary. Vulnerabilidad de XSS en course/pending.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.7, 2.7.x anterior a 2.7.4, y 2.8.x anterior a 2.8.2 permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de un resumen de curso manipulado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368 http://openwall.com/lists/oss-security/2015/01/19/1 https://moodle.org/mod/forum/discuss.php?d=278612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •