ALT-PU-2020-1977-1
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-10738
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10738
- https://moodle.org/mod/forum/discuss.php?d=403513
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410
- https://moodle.org/mod/forum/discuss.php?d=403513
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10738
Modified: 2024-11-21
CVE-2020-1754
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
Modified: 2024-11-21
CVE-2020-1755
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
Modified: 2024-11-21
CVE-2020-1756
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.