CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35131 – Moodle: xss risk on groups page
https://notcve.org/view.php?id=CVE-2023-35131
22 Jun 2023 — Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. • https://bugzilla.redhat.com/show_bug.cgi?id=2214369 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35132 – Moodle: minor sql injection risk on mnet sso access control page
https://notcve.org/view.php?id=CVE-2023-35132
22 Jun 2023 — A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214371 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
22 Jun 2023 — An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 10%CPEs: 5EXPL: 3CVE-2023-30943 – Moodle: tinymce loaders susceptible to arbitrary folder creation
https://notcve.org/view.php?id=CVE-2023-30943
02 May 2023 — The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. • https://github.com/d0rb/CVE-2023-30943 • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 7.5EPSS: 1%CPEs: 8EXPL: 0CVE-2023-30944 – Moodle: minor sql injection risk in external wiki method for listing pages
https://notcve.org/view.php?id=CVE-2023-30944
02 May 2023 — The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40208
https://notcve.org/view.php?id=CVE-2022-40208
24 Mar 2023 — In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. • https://moodle.org/mod/forum/discuss.php?d=438761 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 1%CPEs: 8EXPL: 0CVE-2023-28329 – Moodle: authenticated sql injection via availability check
https://notcve.org/view.php?id=CVE-2023-28329
23 Mar 2023 — Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). • https://bugzilla.redhat.com/show_bug.cgi?id=2179406 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-28330 – Moodle: authenticated arbitrary file read through malformed backup file
https://notcve.org/view.php?id=CVE-2023-28330
23 Mar 2023 — Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default. • https://bugzilla.redhat.com/show_bug.cgi?id=2179412 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-28331 – Moodle: xss risk when outputting database activity filter data
https://notcve.org/view.php?id=CVE-2023-28331
23 Mar 2023 — Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk. • https://bugzilla.redhat.com/show_bug.cgi?id=2179418 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-28332 – Moodle: algebra filter xss when filter is misconfigured
https://notcve.org/view.php?id=CVE-2023-28332
23 Mar 2023 — If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk. • https://bugzilla.redhat.com/show_bug.cgi?id=2179419 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •