CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46858
https://notcve.org/view.php?id=CVE-2023-46858
Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." ** EN DISPUTA ** Moodle 4.3 permite /grade/report/grader/index.php?searchvalue= XSS reflejado cuando se inicia sesión como profesor. NOTA: el enlace de preguntas frecuentes sobre seguridad de Moodle indica: "Los profesores utilizan algunas formas de contenido enriquecido para mejorar sus cursos... los administradores y profesores pueden publicar contenido compatible con XSS, pero los estudiantes no". • https://docs.moodle.org/403/en/Security_FAQ#I_have_discovered_Cross_Site_Scripting_.28XSS.29_is_possible_with_Moodle https://gist.github.com/Abid-Ahmad/12d2b4878eb731e8871b96b7d55125cd https://packetstormsecurity.com/files/175277/Moodle-4.3-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35132 – Moodle: minor sql injection risk on mnet sso access control page
https://notcve.org/view.php?id=CVE-2023-35132
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214371 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447830 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-35131 – Moodle: xss risk on groups page
https://notcve.org/view.php?id=CVE-2023-35131
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. • https://bugzilla.redhat.com/show_bug.cgi?id=2214369 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447829 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447831 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27131
https://notcve.org/view.php?id=CVE-2021-27131
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the "Additional HTML Section" for "Header and Footer" can only be supplied by an administrator, who is intentionally allowed to enter unsanitized input (e.g., site-specific JavaScript). • https://docs.moodle.org/402/en/Risks https://github.com/moodle/moodle https://github.com/p4nk4jv/CVEs-Assigned/blob/master/Moodle-3.10.1-CVE-2021-27131.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •