Vulnerabilities > Moodle > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-05-22 CVE-2016-2156 Information Exposure vulnerability in Moodle
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
network
low complexity
moodle CWE-200
4.3
2016-05-22 CVE-2016-2155 Permissions, Privileges, and Access Controls vulnerability in Moodle
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.
network
low complexity
moodle CWE-264
4.3
2016-05-22 CVE-2016-2154 Information Exposure vulnerability in Moodle
admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule.
network
low complexity
moodle CWE-200
4.3
2016-05-22 CVE-2016-2153 Cross-site Scripting vulnerability in Moodle
Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL, as demonstrated by a search form field.
network
low complexity
moodle CWE-79
6.1
2016-05-22 CVE-2016-2152 Cross-site Scripting vulnerability in Moodle
Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.
network
low complexity
moodle CWE-79
6.1
2016-05-22 CVE-2016-2151 Information Exposure vulnerability in Moodle
user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.
network
low complexity
moodle CWE-200
4.3
2016-02-22 CVE-2016-0725 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string.
network
low complexity
fedoraproject moodle CWE-79
6.1
2016-02-22 CVE-2016-0724 Information Exposure vulnerability in multiple products
The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request.
network
low complexity
moodle fedoraproject CWE-200
4.3
2016-02-22 CVE-2015-5342 Permissions, Privileges, and Access Controls vulnerability in Moodle
The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.
network
low complexity
moodle CWE-264
4.3
2016-02-22 CVE-2015-5341 Information Exposure vulnerability in Moodle
mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.
network
low complexity
moodle CWE-200
4.3