CVE-2023-46858
https://notcve.org/view.php?id=CVE-2023-46858
Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." ** EN DISPUTA ** Moodle 4.3 permite /grade/report/grader/index.php?searchvalue= XSS reflejado cuando se inicia sesión como profesor. NOTA: el enlace de preguntas frecuentes sobre seguridad de Moodle indica: "Los profesores utilizan algunas formas de contenido enriquecido para mejorar sus cursos... los administradores y profesores pueden publicar contenido compatible con XSS, pero los estudiantes no". • https://docs.moodle.org/403/en/Security_FAQ#I_have_discovered_Cross_Site_Scripting_.28XSS.29_is_possible_with_Moodle https://gist.github.com/Abid-Ahmad/12d2b4878eb731e8871b96b7d55125cd https://packetstormsecurity.com/files/175277/Moodle-4.3-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-35132 – Moodle: minor sql injection risk on mnet sso access control page
https://notcve.org/view.php?id=CVE-2023-35132
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214371 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447830 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-35133 – Moodle: ssrf risk due to insufficient check on the curl blocked hosts
https://notcve.org/view.php?id=CVE-2023-35133
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions. • https://bugzilla.redhat.com/show_bug.cgi?id=2214373 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447831 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-35131 – Moodle: xss risk on groups page
https://notcve.org/view.php?id=CVE-2023-35131
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14. • https://bugzilla.redhat.com/show_bug.cgi?id=2214369 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT https://moodle.org/mod/forum/discuss.php?d=447829 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-30943 – Moodle: tinymce loaders susceptible to arbitrary folder creation
https://notcve.org/view.php?id=CVE-2023-30943
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. • https://github.com/d0rb/CVE-2023-30943 https://github.com/Chocapikk/CVE-2023-30943 https://github.com/RubyCat1337/CVE-2023-30943 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718 https://bugzilla.redhat.com/show_bug.cgi?id=2188605 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY htt • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •