Vulnerabilities > Moodle

DATE CVE VULNERABILITY TITLE RISK
2021-06-23 CVE-2021-21809 Incorrect Permission Assignment for Critical Resource vulnerability in Moodle 3.10.0
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10.
network
low complexity
moodle CWE-732
critical
9.0
2021-06-16 CVE-2021-32244 Cross-Site Scripting vulnerability in Moodle 3.10.3
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
network
moodle CWE-79
3.5
2021-05-17 CVE-2019-14827 Code Injection vulnerability in Moodle
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts.
network
moodle CWE-94
4.3
2021-03-19 CVE-2019-14831 Open Redirect vulnerability in Moodle
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled.
network
moodle CWE-601
5.8
2021-03-19 CVE-2019-14830 Open Redirect vulnerability in Moodle
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed.
network
moodle CWE-601
5.8
2021-03-19 CVE-2019-14829 Improper Following of Specification BY Caller vulnerability in Moodle
A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
network
low complexity
moodle CWE-573
4.0
2021-03-19 CVE-2019-14828 Improper Authorization vulnerability in Moodle
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
network
low complexity
moodle CWE-285
4.0
2021-03-15 CVE-2021-20283 Incorrect Authorization vulnerability in multiple products
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
network
low complexity
moodle fedoraproject CWE-863
4.0
2021-03-15 CVE-2021-20282 Incorrect Authorization vulnerability in multiple products
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
network
low complexity
moodle fedoraproject CWE-863
5.0
2021-03-15 CVE-2021-20281 Information Exposure vulnerability in multiple products
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
network
low complexity
moodle fedoraproject CWE-200
5.0