CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34032 – Moodle LMS Jmol Plugin Cross-site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2025-34032
24 Jun 2025 — A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. • https://vulncheck.com/advisories/moodle-lms-jmol-plugin-xss • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 5%CPEs: 1EXPL: 2CVE-2025-34031 – Moodle LMS Jmol Plugin Path Traversal
https://notcve.org/view.php?id=CVE-2025-34031
24 Jun 2025 — A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. • https://vulncheck.com/advisories/moodle-lms-jmol-plugin-path-traversal • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53021
https://notcve.org/view.php?id=CVE-2025-53021
24 Jun 2025 — A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects produc... • https://github.com/moodle/moodle/releases/tag/v3.11.18 • CWE-384: Session Fixation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32045 – Moodle: hidden grades shown to users without permission on some grade reports
https://notcve.org/view.php?id=CVE-2025-32045
25 Apr 2025 — A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades. • https://access.redhat.com/security/cve/CVE-2025-32045 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32044 – Moodle: unauthenticated rest api user data exposure
https://notcve.org/view.php?id=CVE-2025-32044
25 Apr 2025 — A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability. • https://access.redhat.com/security/cve/CVE-2025-32044 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3647 – Moodle: idor when accessing the cohorts report
https://notcve.org/view.php?id=CVE-2025-3647
25 Apr 2025 — A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. • https://access.redhat.com/security/cve/CVE-2025-3647 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3645 – Moodle: idor in messaging web service allows access to some user details
https://notcve.org/view.php?id=CVE-2025-3645
25 Apr 2025 — A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. • https://access.redhat.com/security/cve/CVE-2025-3645 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3644 – Moodle: ajax section delete does not respect course_can_delete_section()
https://notcve.org/view.php?id=CVE-2025-3644
25 Apr 2025 — A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. • https://access.redhat.com/security/cve/CVE-2025-3644 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3643 – Moodle: reflected xss risk in policy tool
https://notcve.org/view.php?id=CVE-2025-3643
25 Apr 2025 — A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk. • https://access.redhat.com/security/cve/CVE-2025-3643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3642 – Moodle: authenticated remote code execution risk in the moodle lms equella repository
https://notcve.org/view.php?id=CVE-2025-3642
25 Apr 2025 — A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled. • https://access.redhat.com/security/cve/CVE-2025-3642 • CWE-94: Improper Control of Generation of Code ('Code Injection') •