ALT-PU-2022-1064-2

BDU:2023-03479

CRITICAL9.8

Уязвимость компонента mod_h5pactivity виртуальной обучающей среды Moodle, позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Опубликовано: 2023-06-30

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0КРИТИЧЕСКАЯ 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

Ссылки

CVE-2022-0332

CVE-2022-0332

CRITICAL9.8

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2022-0333

LOW3.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2022-0334

MEDIUM4.3

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2022-0335

HIGH8.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ссылки

GHSA-6jhm-4vmx-mr76

CRITICAL9.8

SQL injection in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-93pj-4p65-qmr9

MEDIUM4.3

Insufficient user authorization in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-m434-m5pv-p35w

LOW3.8

Insufficient user authorization in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-xpfv-89vg-r562

HIGH8.8

Cross Site Request Forgery in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ссылки

Обновление пакета moodle в ветке sisyphus

Закрытые проблемы (9)

Уязвимость компонента mod_h5pactivity виртуальной обучающей среды Moodle, позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

SQL injection in Moodle

Insufficient user authorization in Moodle

Insufficient user authorization in Moodle

Cross Site Request Forgery in Moodle