Vulnerabilities > Moodle
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-29 | CVE-2022-0984 | Incorrect Authorization vulnerability in multiple products Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges. | 4.0 |
| 2022-04-29 | CVE-2022-0985 | Incorrect Authorization vulnerability in Moodle Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability. | 4.3 |
| 2022-03-25 | CVE-2022-0983 | SQL Injection vulnerability in multiple products An SQL injection risk was identified in Badges code relating to configuring criteria. | 8.8 |
| 2022-03-11 | CVE-2021-32472 | Missing Authorization vulnerability in Moodle Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. | 4.3 |
| 2022-03-11 | CVE-2021-32473 | Unspecified vulnerability in Moodle It was possible for a student to view their quiz grade before it had been released, using a quiz web service. | 5.0 |
| 2022-03-11 | CVE-2021-32474 | SQL Injection vulnerability in Moodle An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. | 6.5 |
| 2022-03-11 | CVE-2021-32475 | Cross-site Scripting vulnerability in Moodle ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. | 3.5 |
| 2022-03-11 | CVE-2021-32476 | Allocation of Resources Without Limits or Throttling vulnerability in Moodle A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. | 7.5 |
| 2022-03-11 | CVE-2021-32477 | Missing Authorization vulnerability in Moodle The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). | 4.0 |
| 2022-03-11 | CVE-2021-32478 | Cross-site Scripting vulnerability in Moodle The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. | 6.1 |