CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-36568
https://notcve.org/view.php?id=CVE-2021-36568
13 Sep 2022 — In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7. En determinados productos Moodle después de crear un curso, es posible añadir en un "Topic" arbitrario un recurso, en este caso una "Database" con el tipo "Text" donde sus valores "Field na... • https://blog.hackingforce.com.br/en/cve-2021-36568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14320
https://notcve.org/view.php?id=CVE-2020-14320
16 Aug 2022 — In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk. En Moodle versiones anteriores a 3.9.1, 3.8.4 y 3.7.7, el filtro en el registro de tareas del administrador requería un saneo extra para prevenir un riesgo de tipo XSS reflejado. • https://moodle.org/mod/forum/discuss.php?d=407392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-14322
https://notcve.org/view.php?id=CVE-2020-14322
16 Aug 2022 — In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. En Moodle versiones anteriores a 3.9.1, 3.8.4, 3.7.7 y 3.5.13, yui_combo necesitaba limitar la cantidad de archivos que puede cargar para ayudar a mitigar el riesgo de denegación de servicio. • https://moodle.org/mod/forum/discuss.php?d=407394 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.4EPSS: 14%CPEs: 12EXPL: 0CVE-2022-35653
https://notcve.org/view.php?id=CVE-2022-35653
25 Jul 2022 — A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-35652
https://notcve.org/view.php?id=CVE-2022-35652
25 Jul 2022 — An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information. Se ha encontrado un problema de redireccionamiento abierto en Moodle debido a un saneamiento inapr... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2022-35651
https://notcve.org/view.php?id=CVE-2022-35651
25 Jul 2022 — A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. Se encontró una vulnerabilidad de tipo XSS almacenado y SSRF... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-35650
https://notcve.org/view.php?id=CVE-2022-35650
25 Jul 2022 — The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default. La vulnerabilidad se encontró en Moodle, es producido debido a un error de comprobación de entrada cuando son importadas las preguntas de las lecciones... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 2%CPEs: 5EXPL: 1CVE-2022-35649
https://notcve.org/view.php?id=CVE-2022-35649
25 Jul 2022 — The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. La vulnerabilidad fue encontrada en Moodle, ocurre debido a una comprobación de entrada inapropiada cuando se analiza el código PostScript. Un parámetro de ejecución omitido ... • https://github.com/antoinenguyen-09/CVE-2022-35649 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-30600
https://notcve.org/view.php?id=CVE-2022-30600
18 May 2022 — A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed. Se ha encontrado un fallo en moodle en el que la lógica usada para contar los intentos de inicio de sesión fallidos podía resultar en que sea omitido el umbral de bloqueo de la cuenta • https://github.com/Boonjune/POC-CVE-2022-30600 • CWE-682: Incorrect Calculation •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-30599
https://notcve.org/view.php?id=CVE-2022-30599
18 May 2022 — A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria. Se encontró un fallo en moodle donde se identificó un riesgo de inyección SQL en el código de Badges relacionado con la configuración de criterios • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •