CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14827
https://notcve.org/view.php?id=CVE-2019-14827
17 May 2021 — A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. Se encontró una vulnerabilidad en Moodle donde la inyección de javaS... • https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14831
https://notcve.org/view.php?id=CVE-2019-14831
19 Mar 2021 — A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect. Se encontró una vulnerabilidad en Moodle versiones 3.7 hasta 3.7.1, versiones 3.6 hasta 3.6.5, versiones 3.5 hasta 3.5.7 y versiones anteriores no compatibles, donde el enlace de suscrip... • https://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=32e2e06a8737afb07ee83abb3eacd39f8b181216 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2019-14830
https://notcve.org/view.php?id=CVE-2019-14830
19 Mar 2021 — A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app"). Se encontró una vulnerabilidad en Moodle versiones 3.7 hasta 3.7.1, versiones 3.6 hasta 3.6.5, versi... • https://github.com/Fr3d-/moodle-token-stealer • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14829
https://notcve.org/view.php?id=CVE-2019-14829
19 Mar 2021 — A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. Se encontró una vulnerabilidad en Moodle afecto versiones 3.7 hasta 3.7.1, versiones 3.6 hasta 3.6.5, versiones 3.5 hasta 3.5.7 y versiones anteriores no compatibles, donde las capacidades de creación de actividades no se respetaron correctamente cuando... • https://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=208397c120b6bf74ca6a173e42cb527904c5ab42 • CWE-573: Improper Following of Specification by Caller •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14828
https://notcve.org/view.php?id=CVE-2019-14828
19 Mar 2021 — A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. Se encontró una vulnerabilidad en Moodle que afectaba a versiones 3.7 hasta 3.7.1, versiones 3.6 hasta 3.6.5, versiones 3.5 hasta 3.5.7 y versiones anteriores no compatibles, donde unos usuarios con la capacida... • https://moodle.org/mod/forum/discuss.php?d=391031 • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-20283
https://notcve.org/view.php?id=CVE-2021-20283
15 Mar 2021 — The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. El servicio web responsable de obtener los cursos inscritos de otros usuarios no comprobó que el usuario solicitante tuviera permiso para visualizar esa información en cada curso en moodle versiones anteriores a 3.10.2, 3.9.5, 3.8.8, 3.5.17 • https://bugzilla.redhat.com/show_bug.cgi?id=1939051 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-20282
https://notcve.org/view.php?id=CVE-2021-20282
15 Mar 2021 — When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Cuando se crea una cuenta de usuario, era posible verificar la cuenta sin tener acceso al enlace/secreto del correo electrónico de comprobación en moodle versiones anteriores a 3.10.2, 3.9.5, 3.8.8, 3.5.17 • https://bugzilla.redhat.com/show_bug.cgi?id=1939046 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-20281
https://notcve.org/view.php?id=CVE-2021-20281
15 Mar 2021 — It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Fue posible que algunos usuarios sin permiso para visualizar los nombres completos de otros usuarios lo hicieran por medio del bloque de usuarios en línea en moodle versiones anteriores a 3.10.2, 3.9.5, 3.8.8, 3.5.17 • https://bugzilla.redhat.com/show_bug.cgi?id=1939041 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 1CVE-2021-20280 – Moodle Cross Site Scripting / Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2021-20280
15 Mar 2021 — Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Las respuestas de retroalimentación basadas en texto requirieron saneamiento adicional para prevenir un ataque de tipo XSS almacenado y riesgos SSRF ciegos en moodle versiones anteriores a 3.10.2, 3.9.5, 3.8.8, 3.5.17 Moodle versions 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, and 3.5 to 3.5.16 suffer from cross site scripting and server-side request forgery vu... • http://packetstormsecurity.com/files/164817/Moodle-Cross-Site-Scripting-Server-Side-Request-Forgery.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-20279
https://notcve.org/view.php?id=CVE-2021-20279
15 Mar 2021 — The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. El campo ID number user profile requería un saneamiento adicional para evitar un riesgo de tipo XSS almacenado en moodle versiones anteriores a 3.10.2, 3.9.5, 3.8.8, 3.5.17 • https://bugzilla.redhat.com/show_bug.cgi?id=1939033 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •