ALT-PU-2021-1050-2

BDU:2021-01190

HIGH7.2

Уязвимость реализации технологии аутентификации Shibboleth виртуальной обучающей среды Moodle, позволяющая нарушителю выполнить произвольный код

Published: 2021-03-11

CVSS 3.xHIGH 7.2

CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 9.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2021-20187

BDU:2021-01191

MEDIUM4.4

Уязвимость фильтра преобразования текстовых выражений TeX виртуальной обучающей среды Moodle, позволяющая нарушителю проводить межсайтовые сценарные атаки

Published: 2021-03-11

CVSS 3.xMEDIUM 4.4

CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 2.0LOW 3.6

CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:N

References

CVE-2021-20186

BDU:2021-01192

MEDIUM5.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками вводимых символов при обработке сообщений, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-03-11

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2021-20185

BDU:2021-01193

MEDIUM4.3

Уязвимость реализации модуля «Gradebook» («Оценки») виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2021-03-11

CVSS 3.xMEDIUM 4.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

References

CVE-2021-20184

BDU:2021-01194

MEDIUM5.4

Уязвимость виртуальной обучающей среды Moodle, связанная с недостаточной очисткой введенных пользователем данных в определенных поисковых запросах, позволяющая нарушителю проводить межсайтовые сценарные атаки

Published: 2021-03-11

CVSS 3.xMEDIUM 5.4

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS 2.0MEDIUM 5.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N

References

CVE-2021-20183

BDU:2024-04970

MEDIUM5.5

Уязвимость компонента New Activity Handler виртуальной обучающей среды Moodle, позволяющая нарушителю выполнить произвольный код

Published: 2024-07-03

CVSS 3.xMEDIUM 5.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

References

CVE-2024-37674

CVE-2021-20183

MEDIUM5.4

It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.

Published: 2021-01-28Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

CVE-2021-20184

MEDIUM4.3

It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

Published: 2021-01-28Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

CVE-2021-20185

MEDIUM5.3

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

Published: 2021-01-28Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2021-20186

MEDIUM5.4

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

Published: 2021-01-28Modified: 2024-11-21

CVSS 2.0LOW 2.1

CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

CVE-2021-20187

HIGH7.2

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

Published: 2021-01-28Modified: 2024-11-21

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

CVE-2021-21809

CRITICAL9.1

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

Published: 2021-06-23Modified: 2024-11-21

CVSS 2.0CRITICAL 9.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

CVE-2024-37674

MEDIUM5.5

Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.

Published: 2024-06-20Modified: 2025-06-13

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References

GHSA-2jrm-gww7-wch2

HIGH7.2

Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration

Published: 2022-05-24Modified: 2024-04-24

CVSS 3.xHIGH 7.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

GHSA-c3j6-33r4-89q3

MEDIUM5.3

Moodle Client side denial of service via personal message

Published: 2022-05-24Modified: 2024-04-24

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

GHSA-c7jj-vfmr-j9mj

CRITICAL9.1

Moodle command execution vulnerability exists in the default legacy spellchecker plugin

Published: 2022-05-24Modified: 2024-04-24

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

GHSA-h8m4-h385-qhqv

MEDIUM5.4

Moodle Cross-site Scripting

Published: 2022-05-24Modified: 2024-04-24

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

GHSA-mm73-86f9-5x5c

MEDIUM4.3

Moodle Grade information disclosure in grade's external fetch functions

Published: 2022-05-24Modified: 2024-04-24

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

GHSA-xhfx-rm8q-c3xv

MEDIUM5.4

Moodle Vulnerable to Reflected Cross-site Scripting

Published: 2022-05-24Modified: 2023-09-12

CVSS 3.xMEDIUM 5.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

Package update moodle in branch sisyphus

Closed issues (19)

Уязвимость реализации технологии аутентификации Shibboleth виртуальной обучающей среды Moodle, позволяющая нарушителю выполнить произвольный код

Уязвимость фильтра преобразования текстовых выражений TeX виртуальной обучающей среды Moodle, позволяющая нарушителю проводить межсайтовые сценарные атаки

Уязвимость компонента New Activity Handler виртуальной обучающей среды Moodle, позволяющая нарушителю выполнить произвольный код

It was found in Moodle before version 3.10.1 that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.

It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.

Moodle Arbitrary PHP code execution by site admins via Shibboleth configuration

Moodle Client side denial of service via personal message

Moodle command execution vulnerability exists in the default legacy spellchecker plugin

Moodle Cross-site Scripting

Moodle Grade information disclosure in grade's external fetch functions

Moodle Vulnerable to Reflected Cross-site Scripting