CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20185
https://notcve.org/view.php?id=CVE-2021-20185
28 Jan 2021 — It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. Se encontró en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que la mensajería no imponía un límite de caracteres al enviar mensajes, lo que podría resultar en la denegación de servicio del lado del cliente (navegador) para los usuarios que recibían men... • https://moodle.org/mod/forum/discuss.php?d=417168 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-20184
https://notcve.org/view.php?id=CVE-2021-20184
28 Jan 2021 — It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades. Se encontró en Moodle versiones anteriores a 3.10.1, 3.9.4 y 3.8.7, que unas comprobaciones de capacidad insuficiente en algunos servicios web relacionados con las calificaciones significaba que los estudiantes podían visualizar las calificaciones de otros estudiantes • https://moodle.org/mod/forum/discuss.php?d=417167 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20186
https://notcve.org/view.php?id=CVE-2021-20186
28 Jan 2021 — It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. Se encontró en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que si el filtro de notación TeX estaba habilitado, se requería una desinfección adicional del contenido TeX para prevenir el riesgo de un XSS almacenado • https://moodle.org/mod/forum/discuss.php?d=417170 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20183
https://notcve.org/view.php?id=CVE-2021-20183
28 Jan 2021 — It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. Se encontró en Moodle versiones anteriores a 3.10.1, que algunas entradas de búsqueda eran vulnerables a XSS reflejado debido a un escape insuficiente de las consultas de búsqueda • https://moodle.org/mod/forum/discuss.php?d=417166 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20187
https://notcve.org/view.php?id=CVE-2021-20187
28 Jan 2021 — It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. Se encontró en Moodle versiones anteriores a 3.10.1, 3.9.4, 3.8.7 y 3.5.16, que era posible para los administradores del sitio ejecutar scripts PHP arbitrarios por medio de una inclusión PHP usada durante la autenticación Shibboleth • https://moodle.org/mod/forum/discuss.php?d=417171 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25628
https://notcve.org/view.php?id=CVE-2020-25628
08 Dec 2020 — The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. El filtro en el administrador de etiquetas requirió un saneamiento adicional para impedir un riesgo de XSS reflejado. Esto afecta a versiones 3.9 hasta 3.9.1, 3.8 hasta 3.8.4, 3.7 hasta 3.7.7, 3.5 hasta 3.5.13 y versiones anteriores no compatibles. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25629
https://notcve.org/view.php?id=CVE-2020-25629
08 Dec 2020 — A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. Se encontró una vulnerabilidad en Moodle donde los usuarios con la capacidad "Log in as" en el contexto de un curso (típicamente, administrad... • https://moodle.org/mod/forum/discuss.php?d=410841 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25630
https://notcve.org/view.php?id=CVE-2020-25630
08 Dec 2020 — A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14. Se encontró una vulnerabilidad en Moodle donde el tamaño descomprimido de los archivos zip no se verificaba con la cuota de usuario disponible antes de descomprimirlos,... • https://moodle.org/mod/forum/discuss.php?d=410842 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25700
https://notcve.org/view.php?id=CVE-2020-25700
19 Nov 2020 — In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, algunos servicios web de módulos de base de datos permitían a estudiantes agregar entradas dentro de grupos a los que no pertenecían. Versiones afectadas: 3.9 hasta 3.9.2, 3.8 hasta 3.8.5, 3.7 hasta 3.7.8, 3.5 hasta ... • https://bugzilla.redhat.com/show_bug.cgi?id=1895427 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25701
https://notcve.org/view.php?id=CVE-2020-25701
19 Nov 2020 — If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Si la herramienta de carga de curso en Moodle se usó para eliminar un método de inscripción ... • https://bugzilla.redhat.com/show_bug.cgi?id=1895432 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •