Vulnerabilities > Moodle > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-09 | CVE-2023-5550 | In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. | 9.8 |
| 2023-03-23 | CVE-2023-28333 | Code Injection vulnerability in multiple products The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS). | 9.8 |
| 2023-03-06 | CVE-2021-36392 | SQL Injection vulnerability in Moodle In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses. | 9.8 |
| 2023-03-06 | CVE-2021-36393 | SQL Injection vulnerability in Moodle In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. | 9.8 |
| 2023-03-06 | CVE-2021-36394 | Unspecified vulnerability in Moodle In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | 9.8 |
| 2022-11-25 | CVE-2022-45152 | Server-Side Request Forgery (SSRF) vulnerability in multiple products A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. | 9.1 |
| 2022-09-30 | CVE-2022-40314 | Unspecified vulnerability in Moodle A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. | 9.8 |
| 2022-09-30 | CVE-2022-40315 | SQL Injection vulnerability in multiple products A limited SQL injection risk was identified in the "browse list of users" site administration page. | 9.8 |
| 2022-07-25 | CVE-2022-35649 | Improper Input Validation vulnerability in multiple products The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. | 9.8 |
| 2022-05-18 | CVE-2022-30599 | SQL Injection vulnerability in multiple products A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria. | 9.8 |