In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-05-15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-03-26
In Moodle 3.x, XSS can occur via evidence of prior learning.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-26
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-26
In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
CVSS Score
5.4
EPSS Score
0.004
Published
2017-01-20
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
CVSS Score
7.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-01-20