CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25698
https://notcve.org/view.php?id=CVE-2020-25698
19 Nov 2020 — Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. Unas capacidades de inscripción de los usuarios no estaban suficientemente comprobadas en Moodle cuando son restauradas en un curso existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1895419 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25699
https://notcve.org/view.php?id=CVE-2020-25699
19 Nov 2020 — In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10. En moodle, las comprobaciones insuficientes de capacidad podrían conllevar a usuarios con una capacidad de restaurar el curso agregar capacidades adicionales a los roles dentro de ese... • https://bugzilla.redhat.com/show_bug.cgi?id=1895425 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10738
https://notcve.org/view.php?id=CVE-2020-10738
21 May 2020 — A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution. Se encontró un fallo en Moodle versiones 3.8 anteriores a la versión 3.8.3, versiones 3.7 anteriores a 3.7.6, versiones 3.6 anteriores a 3.6.10, versiones 3.5 anteriores a 3.5.12 y versiones anter... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14880
https://notcve.org/view.php?id=CVE-2019-14880
31 Mar 2020 — A vulnerability was found in Moodle versions 3.7 before 3.7.3, 3.6 before 3.6.7, 3.5 before 3.5.9 and earlier. OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.7.3, versiones 3.6 anteriores a 3.6.7, versiones 3.5 anteriores a 3.5.9. Los proveedores de OAuth 2 quienes no verifican los cambios en la dirección de correo electrónico de los ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14880 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14884
https://notcve.org/view.php?id=CVE-2019-14884
18 Mar 2020 — A vulnerability was found in Moodle 3.7 before 3.73, 3.6 before 3.6.7 and 3.5 before 3.5.9, where a reflected XSS possible from some fatal error messages. Se detectó una vulnerabilidad en Moodle versiones 3.7 anteriores a 3.73, versiones 3.6 anteriores a 3.6.7 y versiones 3.5 anteriores a 3.5.9, donde es posible un ataque de tipo XSS reflejado a partir de algunos mensajes de error fatales. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14882
https://notcve.org/view.php?id=CVE-2019-14882
18 Mar 2020 — A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. Se detectó una vulnerabilidad en Moodle versiones 3.7 hasta 3.7.3, versiones 3.6 hasta 3.6.7, versiones 3.5 hasta 3.5.9 y anteriores, donde se presentaba un redireccionamiento abierto en la página de edición Lesson. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14882 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1692
https://notcve.org/view.php?id=CVE-2020-1692
17 Feb 2020 — Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course. Moodle versiones anteriores a 3.7.2, es vulnerable a una exposición de información de los tokens de servicio para los usuarios inscritos en el mismo curso. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1692 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18210
https://notcve.org/view.php?id=CVE-2019-18210
11 Feb 2020 — Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Bec... • https://docs.moodle.org/38/en/Teacher_role • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-14879
https://notcve.org/view.php?id=CVE-2019-14879
07 Jan 2020 — A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked (where applicable). Se detectó una vulnerabilidad en las versiones de Moodle 3.7.x en versiones anteriores a la 3.7.3, 3.6.x en versiones anteriores a la 3.6.7 y 3.5.x en versiones anteriores a la 3.5.9. Cuando se eliminaba una asignación de funciones de cohorte, no se revocaban las capacidades asociadas (cua... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14879 • CWE-264: Permissions, Privileges, and Access Controls CWE-273: Improper Check for Dropped Privileges •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10186
https://notcve.org/view.php?id=CVE-2019-10186
31 Jul 2019 — A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. Se encontró una fallo en moodle anterior de las versiones 3.7.1, 3.6.5, 3.5.7. La herramienta de administración de carga / descarga XML no estaba utilizando un token sesskey (CSRF). • http://www.securityfocus.com/bid/109175 • CWE-352: Cross-Site Request Forgery (CSRF) •