Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVSS Score
5.4
EPSS Score
0.007
Published
2021-03-15
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVSS Score
5.3
EPSS Score
0.004
Published
2021-03-15
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-03-15
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVSS Score
4.3
EPSS Score
0.003
Published
2021-03-15
It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
CVSS Score
5.4
EPSS Score
0.004
Published
2021-01-28
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-01-28
Moodle before version 3.7.2 is vulnerable to information exposure of service tokens for users enrolled in the same course.
CVSS Score
8.1
EPSS Score
0.002
Published
2020-02-17
Persistent XSS in /course/modedit.php of Moodle through 3.7.2 allows authenticated users (Teacher and above) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter. NOTE: the discoverer and vendor disagree on whether Moodle customers have a reasonable expectation that anyone authenticated as a Teacher can be trusted with the ability to add arbitrary JavaScript (this ability is not documented on Moodle's Teacher_role page). Because the vendor has this expectation, they have stated "this report has been closed as a false positive, and not a bug."
CVSS Score
5.4
EPSS Score
0.004
Published
2020-02-11
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-06-26
A vulnerability was found in moodle before version 3.6.3. The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities
CVSS Score
4.3
EPSS Score
0.002
Published
2019-03-26