In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
CVSS Score
6.3
EPSS Score
0.003
Published
2017-05-15
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-05-15
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-05-15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-03-26
In Moodle 3.x, XSS can occur via evidence of prior learning.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-26
In Moodle 3.x, XSS can occur via attachments to evidence of prior learning.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-26
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-01-20
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-01-20
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-01-20