An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-07-25
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.
CVSS Score
6.1
EPSS Score
0.773
Published
2022-07-25
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
CVSS Score
5.3
EPSS Score
0.006
Published
2022-05-18
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
CVSS Score
4.3
EPSS Score
0.005
Published
2022-05-18
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-05-18
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
CVSS Score
9.8
EPSS Score
0.019
Published
2022-05-18
A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.
CVSS Score
5.4
EPSS Score
0.009
Published
2022-05-18
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-04-29
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-04-29
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-03-25