Vulnerabilities > Moodle > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2012-09-19 | CVE-2012-4408 | Permissions, Privileges, and Access Controls vulnerability in Moodle course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation. | 5.5 |
2012-09-19 | CVE-2012-4407 | Information Exposure vulnerability in Moodle lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file. | 5.0 |
2012-09-19 | CVE-2012-4403 | Information Exposure vulnerability in Moodle 2.3.0/2.3.1 theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response. | 5.0 |
2012-09-19 | CVE-2012-4402 | Permissions, Privileges, and Access Controls vulnerability in Moodle webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of web-service tokens, which allows remote authenticated users to run arbitrary external-service functions via a token intended for only one service. | 4.9 |
2012-09-19 | CVE-2012-4401 | Permissions, Privileges, and Access Controls vulnerability in Moodle Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended capability restrictions and perform certain topic changes by leveraging course-editing capabilities. | 4.0 |
2012-09-19 | CVE-2012-4400 | Permissions, Privileges, and Access Controls vulnerability in Moodle repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended upload-size restrictions via a -1 value in the maxbytes field. | 4.0 |
2012-07-23 | CVE-2012-3398 | Unspecified vulnerability in Moodle Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to cause a denial of service (CPU consumption) by using the advanced-search feature on a database activity that has many records. | 4.0 |
2012-07-23 | CVE-2012-3397 | Permissions, Privileges, and Access Controls vulnerability in Moodle lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. | 4.0 |
2012-07-23 | CVE-2012-3395 | SQL Injection vulnerability in Moodle SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. | 6.5 |
2012-07-23 | CVE-2012-3392 | Configuration vulnerability in Moodle mod/forum/unsubscribeall.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not consider whether a forum is optional, which allows remote authenticated users to bypass forum-subscription requirements by leveraging the student role and unsubscribing from all forums. | 5.5 |