All errata/c9f2/ALT-PU-2022-1641-1
ALT-PU-2022-1641-1

Package update moodle in branch c9f2

Version3.11.6-alt1
Task#297552
Published2022-04-06
Max severityCRITICAL
Severity:

Closed issues (72)

BDU:2021-01190
HIGH7.2

Уязвимость реализации технологии аутентификации Shibboleth виртуальной обучающей среды Moodle, позволяющая нарушителю выполнить произвольный код

Published: 2021-03-11
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
BDU:2021-01191
MEDIUM4.4

Уязвимость фильтра преобразования текстовых выражений TeX виртуальной обучающей среды Moodle, позволяющая нарушителю проводить межсайтовые сценарные атаки

Published: 2021-03-11
CVSS 3.xMEDIUM 4.4
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0LOW 3.6
CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:N
References
BDU:2021-01192
MEDIUM5.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками вводимых символов при обработке сообщений, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-03-11
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2021-01193
MEDIUM4.3

Уязвимость реализации модуля «Gradebook» («Оценки») виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2021-03-11
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2021-01194
MEDIUM5.4

Уязвимость виртуальной обучающей среды Moodle, связанная с недостаточной очисткой введенных пользователем данных в определенных поисковых запросах, позволяющая нарушителю проводить межсайтовые сценарные атаки

Published: 2021-03-11
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 5.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N
References
BDU:2021-02734
MEDIUM6.1

Уязвимость виртуальной обучающей среды Moodle, существующая из-за недостаточной очистки предоставленных пользователем данных в конечной точке авторизации LTI, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Published: 2021-06-01
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2021-02735
MEDIUM4.3

Уязвимость виртуальной обучающей среды Moodle, связанная с раскрытием информации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации в формате CSV

Published: 2021-06-01
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2021-02736
MEDIUM4.3

Уязвимость виртуальной обучающей среды Moodle, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2021-06-01
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2021-02737
HIGH7.2

Уязвимость виртуальной обучающей среды Moodle, существующая из-за недостаточной очистки предоставленных пользователем данных в вызове XML-RPC, позволяющая нарушителю произвольные SQL-запросы

Published: 2021-06-01Modified: 2021-06-02
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
BDU:2021-02738
HIGH7.2

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный HTML-код и код сценария в браузере пользователя в контексте уязвимого веб-сайта

Published: 2021-06-01
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2021-02740
HIGH7.5

Уязвимость виртуальной обучающей среды Moodle, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2021-03914
HIGH8.1

Уязвимость системы управления Moodle, связанная с непринятием мер по защите SQL запроса, позволяющая нарушителю выполнять произвольный код

Published: 2021-08-05
CVSS 3.xHIGH 8.1
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2021-03915
HIGH8.1

Уязвимость системы управления Moodle, связанная с непринятием мер по защите SQL запроса, позволяющая нарушителю выполнять произвольный код

Published: 2021-08-05
CVSS 3.xHIGH 8.1
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0CRITICAL 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
References
BDU:2021-03916
CRITICAL9.8

Уязвимость системы управления Moodle, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Published: 2021-08-05
CVSS 3.xCRITICAL 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2021-03917
MEDIUM4.3

Уязвимость системы управления Moodle, связанная с неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-08-05
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2021-03918
MEDIUM5.8

Уязвимость системы управления Moodle, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю осуществить SSRF-атаку

Published: 2021-08-05
CVSS 3.xMEDIUM 5.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2021-03919
MEDIUM4.3

Уязвимость системы управления Moodle, связанная с ошибками разграничения прав пользователей, позволяющая нарушителю обойти функции безопасности

Published: 2021-08-05
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
BDU:2021-03923
MEDIUM4.3

Уязвимость системы управления Moodle, связанная с ошибками при обработке гипертекстовых ссылок, позволяющая нарушителю обойти функции безопасности

Published: 2021-08-05
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
BDU:2021-03924
MEDIUM5.4

Уязвимость системы управления Moodle, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Published: 2021-08-05
CVSS 3.xMEDIUM 5.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2021-03925
LOW3.1

Уязвимость системы управления Moodle, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить конфиденциальную информацию

Published: 2021-08-05
CVSS 3.xLOW 3.1
CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N
References
BDU:2021-03926
LOW3.1

Уязвимость системы управления Moodle, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить конфиденциальную информацию

Published: 2021-08-05
CVSS 3.xLOW 3.1
CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N
References
BDU:2021-06185
MEDIUM6.5

Уязвимость системы управления Moodle, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить привилегии

Published: 2021-12-17
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2021-06186
MEDIUM6.1

Уязвимость системы управления Moodle, связанная с непринятием мер по защите структуры веб-страниц, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Published: 2021-12-17
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
BDU:2021-06190
MEDIUM6.1

Уязвимость функции «delete related badge» системы управления Moodle, связанная с межсайтовыми фольсификациями запросов, позволяющая нарушителю осуществить CSRF-атаку

Published: 2021-12-17
CVSS 3.xMEDIUM 6.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
CVE-2020-25628
MEDIUM6.1

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Published: 2020-12-08Modified: 2024-11-21
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2020-25629
HIGH8.8

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Published: 2020-12-08Modified: 2024-11-21
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2020-25630
HIGH7.5

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Published: 2020-12-08Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2020-25631
MEDIUM6.1

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.

Published: 2020-12-08Modified: 2024-11-21
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2020-25698
HIGH7.5

Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Published: 2020-11-19Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2020-25699
HIGH7.5

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Published: 2020-11-19Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2020-25700
MEDIUM6.5

In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

Published: 2020-11-19Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
CVE-2020-25701
MEDIUM5.3

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Published: 2020-11-19Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2020-25703
MEDIUM5.3

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

Published: 2020-11-19Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-20185
MEDIUM5.3

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

Published: 2021-01-28Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2021-20186
MEDIUM5.4

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

Published: 2021-01-28Modified: 2024-11-21
CVSS 2.0LOW 2.1
CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-20187
HIGH7.2

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

Published: 2021-01-28Modified: 2024-11-21
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References
CVE-2021-20279
MEDIUM5.4

The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: 2021-03-15Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-20280
MEDIUM5.4

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: 2021-03-15Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-20281
MEDIUM5.3

It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: 2021-03-15Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-20282
MEDIUM5.3

When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: 2021-03-15Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2021-20283
MEDIUM4.3

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: 2021-03-15Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-32473
MEDIUM5.3

It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected

Published: 2022-03-11Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-32474
HIGH7.2

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

Published: 2022-03-11Modified: 2024-11-21
CVSS 2.0MEDIUM 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References
CVE-2021-32475
MEDIUM5.4

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

Published: 2022-03-11Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-32476
HIGH7.5

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

Published: 2022-03-11Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2021-32478
MEDIUM6.1

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

Published: 2022-03-11Modified: 2024-11-21
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-43558
MEDIUM6.1

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.

Published: 2021-11-22Modified: 2024-11-21
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
CVE-2021-43559
HIGH8.8

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Published: 2021-11-22Modified: 2024-11-21
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2021-43560
MEDIUM5.3

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

Published: 2021-11-22Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2022-0333
LOW3.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

Published: 2022-01-25Modified: 2024-11-21
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS 3.xLOW 3.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References
CVE-2022-0334
MEDIUM4.3

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

Published: 2022-01-25Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2022-0335
HIGH8.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

Published: 2022-01-25Modified: 2024-11-21
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References