Vulnerabilities > Moodle > Moodle > 3.0.5

DATE CVE VULNERABILITY TITLE RISK
2017-05-15 CVE-2017-7491 Cross-Site Request Forgery (CSRF) vulnerability in Moodle
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
network
moodle CWE-352
4.3
4.3
2017-05-15 CVE-2017-7490 Exposure of Resource to Wrong Sphere vulnerability in Moodle
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
network
low complexity
moodle CWE-668
5.0
5.0
2017-05-15 CVE-2017-7489 Improper Privilege Management vulnerability in Moodle
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
network
low complexity
moodle CWE-269
6.5
6.5
2017-03-26 CVE-2017-2641 SQL Injection vulnerability in Moodle
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
network
low complexity
moodle CWE-89
7.5
7.5
2017-01-20 CVE-2017-2576 Improper Input Validation vulnerability in Moodle
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
network
low complexity
moodle CWE-20
5.0
5.0
2017-01-20 CVE-2016-8644 Permissions, Privileges, and Access Controls vulnerability in Moodle
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
network
low complexity
moodle CWE-264
5.0
5.0
2017-01-20 CVE-2016-8643 Improper Access Control vulnerability in Moodle
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
network
low complexity
moodle CWE-284
4.0
4.0
2017-01-20 CVE-2016-8642 Improper Access Control vulnerability in Moodle
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
network
low complexity
moodle CWE-284
5.0
5.0
2017-01-20 CVE-2016-7038 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Moodle
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
network
low complexity
moodle CWE-640
5.0
5.0
2016-11-04 CVE-2016-9188 Cross-site Scripting vulnerability in Moodle
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.
network
moodle CWE-79
4.3
4.3