The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-09-30
A session hijack risk was identified in the Shibboleth authentication plugin.
CVSS Score
4.3
EPSS Score
0.004
Published
2022-09-29
Insufficient capability checks made it possible for teachers to download users outside of their courses.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-09-29
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-09-29
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
CVSS Score
4.9
EPSS Score
0.005
Published
2022-09-29
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-09-29
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.
CVSS Score
5.4
EPSS Score
0.004
Published
2022-09-13
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
CVSS Score
9.8
EPSS Score
0.075
Published
2022-07-25
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
CVSS Score
7.5
EPSS Score
0.004
Published
2022-07-25
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
CVSS Score
6.1
EPSS Score
0.003
Published
2022-07-25