CVE-2023-28333 – Moodle: pix helper potential mustache code injection risk
https://notcve.org/view.php?id=CVE-2023-28333
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS). • https://bugzilla.redhat.com/show_bug.cgi?id=2179422 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF https://moodle.org/mod/forum/discuss.php?d=445065 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2021-36397
https://notcve.org/view.php?id=CVE-2021-36397
In Moodle, insufficient capability checks meant message deletions were not limited to the current user. • https://moodle.org/mod/forum/discuss.php?d=424803 • CWE-276: Incorrect Default Permissions •
CVE-2021-36400
https://notcve.org/view.php?id=CVE-2021-36400
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. • https://moodle.org/mod/forum/discuss.php?d=424806 • CWE-276: Incorrect Default Permissions CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2021-36393 – Moodle 3.10.1 SQL Injection
https://notcve.org/view.php?id=CVE-2021-36393
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability. • https://github.com/StackOverflowExcept1on/CVE-2021-36393 https://moodle.org/mod/forum/discuss.php?d=424798 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-36396
https://notcve.org/view.php?id=CVE-2021-36396
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. • https://github.com/T0X1Cx/CVE-2021-36396-Exploit https://moodle.org/mod/forum/discuss.php?d=424802 • CWE-918: Server-Side Request Forgery (SSRF) •