ALT-PU-2022-2450-2

BDU:2022-01636

HIGH8.8

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры запроса SQL , позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Опубликовано: 2022-03-31

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0КРИТИЧЕСКАЯ 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

Ссылки

CVE-2022-0983

BDU:2022-01638

MEDIUM6.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю настроить значки курса с помощью критериев поля профиля

Опубликовано: 2022-03-31

CVSS 3.xСРЕДНЯЯ 6.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

Ссылки

CVE-2022-0984

BDU:2023-03479

CRITICAL9.8

Уязвимость компонента mod_h5pactivity виртуальной обучающей среды Moodle, позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Опубликовано: 2023-06-30

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0КРИТИЧЕСКАЯ 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

Ссылки

CVE-2022-0332

CVE-2022-0332

CRITICAL9.8

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2022-0333

LOW3.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 5.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

CVE-2022-0334

MEDIUM4.3

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2022-0335

HIGH8.8

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

Опубликовано: 2022-01-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 6.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ссылки

CVE-2022-0983

HIGH8.8

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Опубликовано: 2022-03-25Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2022-0984

MEDIUM4.3

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Опубликовано: 2022-04-29Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

CVE-2022-0985

MEDIUM4.3

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

Опубликовано: 2022-04-29Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-6jhm-4vmx-mr76

CRITICAL9.8

SQL injection in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-6q9g-3vfq-q2qj

MEDIUM4.3

Improper Authentication in moodle

Опубликовано: 2022-04-30Изменено: 2022-05-25

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-93pj-4p65-qmr9

MEDIUM4.3

Insufficient user authorization in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

GHSA-c5hf-mc85-2hx4

MEDIUM4.3

Missing authorization in Moodle

Опубликовано: 2022-04-30Изменено: 2022-05-25

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Ссылки

GHSA-h2fw-93qx-vrcq

HIGH8.8

SQL Injection in Moodle

Опубликовано: 2022-03-26Изменено: 2022-04-01

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-m434-m5pv-p35w

LOW3.8

Insufficient user authorization in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xНИЗКАЯ 3.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ссылки

GHSA-xpfv-89vg-r562

HIGH8.8

Cross Site Request Forgery in Moodle

Опубликовано: 2022-01-29Изменено: 2022-02-02

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ссылки

Обновление пакета moodle в ветке p10

Закрытые проблемы (17)

Уязвимость компонента mod_h5pactivity виртуальной обучающей среды Moodle, позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

SQL injection in Moodle

Improper Authentication in moodle

Insufficient user authorization in Moodle

Missing authorization in Moodle

SQL Injection in Moodle

Insufficient user authorization in Moodle

Cross Site Request Forgery in Moodle