CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3848
https://notcve.org/view.php?id=CVE-2019-3848
26 Mar 2019 — A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.) Se ha detectado una vulnerabilidad en moodle, en versiones anteriores a la 3.6.3, 3.5.5 y 3.4.8. Los permisos no se comprobaban correctamente antes de cargar información de eventos en ... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3848 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 1CVE-2018-16854
https://notcve.org/view.php?id=CVE-2018-16854
26 Nov 2018 — A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15. Se ha encontrado un error en Moodle en las siguientes versiones: desde la 3.5 hasta la 3.5.2, desde la 3.4 hasta la 3.4.5, desde la 3.3 hasta la 3.3.8 y desde la 3.1 hasta la 3.1.14 y anteriores. El formulario de inicio de sesión no es protegido por un token ... • https://github.com/danielthatcher/moodle-login-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 3CVE-2018-14630 – Moodle 3.x PHP Unserialize Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-14630
17 Sep 2018 — moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. moodle en versiones anteriores a la 3.5.2, 3.4.5, 3.3.8 y 3.1.14 es vulnerable a una importación XML de ddwtos que podría conducir a la e... • https://packetstorm.news/files/id/149426 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 1%CPEs: 5EXPL: 0CVE-2018-1081
https://notcve.org/view.php?id=CVE-2018-1081
04 Apr 2018 — A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed. Se ha encontrado un error en Moodle 3.4 a 3.4.1, 3.3 a 3.3.4, 3.2 a 3.2.7 y 3.1 a 3.1.10, así como en versiones anteriores sin soporte. Los usuarios no autenticados pueden ... • http://www.securityfocus.com/bid/103728 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 18%CPEs: 13EXPL: 3CVE-2018-1042 – Moodle Filepicker 3.5.2 - Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2018-1042
22 Jan 2018 — Moodle 3.x has Server Side Request Forgery in the filepicker. Moodle, en versiones 3.x, tiene Server Side Request Forgery en el filepicker. Moodle Filepicker version 3.5.2 suffers from a server-side request forgery vulnerability. • https://packetstorm.news/files/id/153766 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2018-1044
https://notcve.org/view.php?id=CVE-2018-1044
22 Jan 2018 — In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings. En Moodle 3.x, los servicios quiz web permiten que los estudiantes vean los resultados de los tests cuando se les prohíbe hacerlo en las opciones. • http://www.securityfocus.com/bid/102754 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 12EXPL: 0CVE-2018-1045
https://notcve.org/view.php?id=CVE-2018-1045
22 Jan 2018 — In Moodle 3.x, there is XSS via a calendar event name. En Moodle 3.x, hay XSS mediante un nombre de evento de calendario. • http://www.securityfocus.com/bid/102755 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-15110
https://notcve.org/view.php?id=CVE-2017-15110
20 Nov 2017 — In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. En las versiones 3.x de Moodle, los estudiantes pueden averiguar las direcciones de correo electrónico de otros estudiantes en el mismo curso. Empleando la búsqueda en la página Participants, los estudiantes podrían buscar las di... • http://www.securityfocus.com/bid/101909 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 37EXPL: 0CVE-2017-2576
https://notcve.org/view.php?id=CVE-2017-2576
20 Jan 2017 — In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. En Moodle 2.x y 3.x, hay una desinfección incorrecta de atributos en foros. • http://www.securityfocus.com/bid/95649 • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 0%CPEs: 27EXPL: 0CVE-2016-5013
https://notcve.org/view.php?id=CVE-2016-5013
20 Jan 2017 — In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. En Moodle 2.x y 3.x, puede ocurrir inyección de texto en las cabeceras de email, conduciendo potencialmente a salida de spam. • http://www.securityfocus.com/bid/92040 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •