CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26533 – SQL injection risk in course search module list filter
https://notcve.org/view.php?id=CVE-2025-26533
24 Feb 2025 — An SQL injection risk was identified in the module list filter within course search. Se identificó un riesgo de inyección SQL en el filtro de la lista de módulos dentro de la búsqueda de cursos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84271 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26532 – Teachers can evade trusttext config when restoring glossary entries
https://notcve.org/view.php?id=CVE-2025-26532
24 Feb 2025 — Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003 • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26531 – IDOR in badges allows disabling of arbitrary badges
https://notcve.org/view.php?id=CVE-2025-26531
24 Feb 2025 — Insufficient capability checks made it possible to disable badges a user does not have permission to access. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26529 – Stored XSS risk in admin live log
https://notcve.org/view.php?id=CVE-2025-26529
24 Feb 2025 — Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26528 – Stored XSS in ddimageortext question type
https://notcve.org/view.php?id=CVE-2025-26528
24 Feb 2025 — The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26527 – Non-searchable tags can still be discovered on the tag search page and in the tags block
https://notcve.org/view.php?id=CVE-2025-26527
24 Feb 2025 — Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941 • CWE-1230: Exposure of Sensitive Information Through Metadata •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26526 – Feedback response viewing and deletions did not respect Separate Groups mode
https://notcve.org/view.php?id=CVE-2025-26526
24 Feb 2025 — Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 • CWE-863: Incorrect Authorization •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26525 – Arbitrary file read risk through pdfTeX
https://notcve.org/view.php?id=CVE-2025-26525
24 Feb 2025 — Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). • https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38277 – moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
https://notcve.org/view.php?id=CVE-2024-38277
18 Jun 2024 — A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Se debe generar una clave única para la clave de inicio de sesión QR de un usuario y su clave de inicio de sesión automático, de modo que la misma clave no se pueda usar indistintamente entre las dos. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-324: Use of a Key Past its Expiration Date CWE-326: Inadequate Encryption Strength •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38276 – moodle: CSRF risks due to misuse of confirm_sesskey
https://notcve.org/view.php?id=CVE-2024-38276
18 Jun 2024 — Incorrect CSRF token checks resulted in multiple CSRF risks. Las comprobaciones incorrectas de tokens CSRF dieron lugar a múltiples riesgos de CSRF. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 • CWE-352: Cross-Site Request Forgery (CSRF) •