| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to. |
| A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values. |
| A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts. |
| A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access. |
| Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. |
| The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF. |
| The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered. |
| Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk. |
| ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk. |
| The referrer URL used by MFA required additional sanitizing, rather than being used directly. |
| Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features. |
| Additional sanitizing was required when opening the equation editor to prevent a stored XSS risk when editing another user's equation. |
| Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to. |
| Moodle 3.5.x before 3.5.4 allows SSRF. |
| A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. |
| Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load. |
| The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to. |
| A limited SQL injection risk was identified in the "browse list of users" site administration page. |
| A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary. |
| A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users. |
