CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-40695
https://notcve.org/view.php?id=CVE-2021-40695
21 Jan 2022 — It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Era posible que un estudiante visualizara la nota de su cuestionario antes de que se hubiera publicado, usando un servicio web de cuestionarios • https://bugzilla.redhat.com/show_bug.cgi?id=2043424 •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-40692
https://notcve.org/view.php?id=CVE-2021-40692
21 Jan 2022 — Insufficient capability checks made it possible for teachers to download users outside of their courses. Unas comprobaciones de capacidad insuficientes hicieron posible que los profesores descargaran usuarios fuera de sus cursos • https://bugzilla.redhat.com/show_bug.cgi?id=2043414 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-40693
https://notcve.org/view.php?id=CVE-2021-40693
21 Jan 2022 — An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability. Se identificó un riesgo de omisión de autenticación en la funcionalidad external database authentication, debido a una vulnerabilidad de malabarismo de tipos • https://bugzilla.redhat.com/show_bug.cgi?id=2043417 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-40694
https://notcve.org/view.php?id=CVE-2021-40694
21 Jan 2022 — Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. Un escape insuficiente del preámbulo de LaTeX hacía posible que los administradores del sitio leyeran archivos disponibles para la cuenta del sistema del servidor HTTP • https://bugzilla.redhat.com/show_bug.cgi?id=2043421 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43560
https://notcve.org/view.php?id=CVE-2021-43560
22 Nov 2021 — A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events. Se ha encontrado un fallo en Moodle en versiones 3.11 hasta 3.11.3, versiones 3.10 hasta 3.10.7, versiones 3.9 hasta 3.9.10 y versiones anteriores no soportadas. Las comprobaciones de capacidad insuficientes permitían conseguir los eventos de acción del calendario de otros usuarios • https://bugzilla.redhat.com/show_bug.cgi?id=2021519 • CWE-668: Exposure of Resource to Wrong Sphere CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43559
https://notcve.org/view.php?id=CVE-2021-43559
22 Nov 2021 — A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. Se encontró un fallo en Moodle en versiones 3.11 a 3.11.3, 3.10 a 3.10.7, 3.9 a 3.9.10 y versiones anteriores no soportadas. La funcionalidad "delete related badge" no incluía la comprobación de tokens necesaria para evitar un riesgo de tipo CSRF • https://bugzilla.redhat.com/show_bug.cgi?id=2021517 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43558
https://notcve.org/view.php?id=CVE-2021-43558
22 Nov 2021 — A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. Se encontró un fallo en Moodle en versiones 3.11 a 3.11.3, 3.10 a 3.10.7, 3.9 a 3.9.10 y versiones anteriores no soportadas. Un parámetro de URL en la herramienta de administración del sitio filetype requería un saneamiento adicional para evitar un riesgo de un ataque de tipo X... • https://bugzilla.redhat.com/show_bug.cgi?id=2021515 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2021-3943
https://notcve.org/view.php?id=CVE-2021-3943
22 Nov 2021 — A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified. Se ha encontrado un fallo en Moodle en versiones 3.11 a 3.11.3, 3.10 a 3.10.7, 3.9 a 3.9.10 y versiones anteriores no soportadas. Se ha identificado un riesgo de ejecución de código remota cuando se restauran archivos de copia de seguridad • https://bugzilla.redhat.com/show_bug.cgi?id=2021963 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 63%CPEs: 4EXPL: 4CVE-2020-14321 – Moodle Teacher Enrollment Privilege Escalation / Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-14321
12 Oct 2021 — In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course. En Moodle versiones anteriores a 3.9.1, 3.8.4, 3.7.7 y 3.5.13, los profesores de un curso podían asignarse a sí mismos el rol de administrador dentro de ese curso. • https://packetstorm.news/files/id/164480 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14827
https://notcve.org/view.php?id=CVE-2019-14827
17 May 2021 — A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. Se encontró una vulnerabilidad en Moodle donde la inyección de javaS... • https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284 • CWE-94: Improper Control of Generation of Code ('Code Injection') •