CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447831 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-35131 – Moodle: xss risk on groups page
https://notcve.org/view.php?id=CVE-2023-35131
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. • https://bugzilla.redhat.com/show_bug.cgi?id=2214369 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447829 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-30944 – Moodle: minor sql injection risk in external wiki method for listing pages
https://notcve.org/view.php?id=CVE-2023-30944
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187 https://bugzilla.redhat.com/show_bug.cgi?id=2188606 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS https://moodle.org/mod/foru • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-40208
https://notcve.org/view.php?id=CVE-2022-40208
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. • https://moodle.org/mod/forum/discuss.php?d=438761 • CWE-285: Improper Authorization •
CVE-2023-1402 – Moodle: course participation report shows roles the user should not see
https://notcve.org/view.php?id=CVE-2023-1402
The course participation report required additional checks to prevent roles being displayed which the user did not have access to view. • https://bugzilla.redhat.com/show_bug.cgi?id=2179427 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF https://moodle.org/mod/forum/discuss.php?d=445069 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •