Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
CVSS Score
8.8
EPSS Score
0.002
Published
2022-10-06
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
CVSS Score
7.1
EPSS Score
0.003
Published
2022-09-30
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
CVSS Score
9.8
EPSS Score
0.102
Published
2022-09-30
A limited SQL injection risk was identified in the "browse list of users" site administration page.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-09-30
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-09-30
A session hijack risk was identified in the Shibboleth authentication plugin.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-09-29
Insufficient capability checks made it possible for teachers to download users outside of their courses.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-09-29
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-09-29
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
CVSS Score
4.9
EPSS Score
0.002
Published
2022-09-29
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-09-29