Vulnerabilities > Moodle > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-18 | CVE-2024-38276 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Incorrect CSRF token checks resulted in multiple CSRF risks. | 8.8 |
| 2024-05-31 | CVE-2024-34008 | Cross-Site Request Forgery (CSRF) vulnerability in Moodle Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. | 8.8 |
| 2024-02-19 | CVE-2024-25978 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality. | 7.5 |
| 2024-02-19 | CVE-2024-25982 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products The link to update all installed language packs did not include the necessary token to prevent a CSRF risk. | 8.8 |
| 2023-11-09 | CVE-2023-5539 | Code Injection vulnerability in multiple products A remote code execution risk was identified in the Lesson activity. | 8.8 |
| 2023-11-09 | CVE-2023-5540 | Code Injection vulnerability in multiple products A remote code execution risk was identified in the IMSCP activity. | 8.8 |
| 2023-06-22 | CVE-2023-35133 | Server-Side Request Forgery (SSRF) vulnerability in Moodle An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. | 7.5 |
| 2023-05-02 | CVE-2023-30944 | SQL Injection vulnerability in multiple products The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. | 7.3 |
| 2023-03-23 | CVE-2023-28329 | SQL Injection vulnerability in Moodle Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). | 8.8 |
| 2023-03-23 | CVE-2023-28335 | Cross-Site Request Forgery (CSRF) vulnerability in Moodle 4.1.0/4.1.1 The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk. | 8.8 |