A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
CVSS Score
5.4
EPSS Score
0.011
Published
2019-03-27
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
CVSS Score
4.3
EPSS Score
0.001
Published
2019-03-26
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
CVSS Score
6.3
EPSS Score
0.003
Published
2019-03-26
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.
CVSS Score
4.3
EPSS Score
0.001
Published
2019-03-26
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities
CVSS Score
4.3
EPSS Score
0.002
Published
2019-03-26
A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
CVSS Score
6.3
EPSS Score
0.003
Published
2018-07-10
A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed.
CVSS Score
5.3
EPSS Score
0.007
Published
2018-04-04
Moodle 3.x has Server Side Request Forgery in the filepicker.
CVSS Score
6.5
EPSS Score
0.145
Published
2018-01-22
In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.
CVSS Score
4.3
EPSS Score
0.002
Published
2018-01-22
In Moodle 3.x, there is XSS via a calendar event name.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-01-22