CVE-2021-36395
https://notcve.org/view.php?id=CVE-2021-36395
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. • https://moodle.org/mod/forum/discuss.php?d=424801 • CWE-400: Uncontrolled Resource Consumption CWE-674: Uncontrolled Recursion •
CVE-2021-36392
https://notcve.org/view.php?id=CVE-2021-36392
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. • https://moodle.org/mod/forum/discuss.php?d=424797 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-36394
https://notcve.org/view.php?id=CVE-2021-36394
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. • https://github.com/dinhbaouit/CVE-2021-36394 https://github.com/lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle https://moodle.org/mod/forum/discuss.php?d=424799 • CWE-384: Session Fixation •
CVE-2021-36398
https://notcve.org/view.php?id=CVE-2021-36398
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. • https://moodle.org/mod/forum/discuss.php?d=424804 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-23921 – Moodle: reflected xss risk in some returnurl parameters
https://notcve.org/view.php?id=CVE-2023-23921
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810 https://bugzilla.redhat.com/show_bug.cgi?id=2162526 https://moodle.org/mod/forum/discuss.php?d=443272#p1782021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •