In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-11-20
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVSS Score
6.3
EPSS Score
0.003
Published
2017-05-15
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-05-15
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-05-15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-03-26
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.
CVSS Score
6.1
EPSS Score
0.003
Published
2016-11-04