Vulnerabilities > Moodle > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-07-23 | CVE-2012-3391 | Permissions, Privileges, and Access Controls vulnerability in Moodle mod/forum/rsslib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 does not properly implement the requirement for posting before reading a Q&A forum, which allows remote authenticated users to bypass intended access restrictions by leveraging the student role and reading the RSS feed for a forum. | 4.0 |
| 2012-07-23 | CVE-2012-3389 | Cross-Site Scripting vulnerability in Moodle Multiple cross-site scripting (XSS) vulnerabilities in mod/lti/typessettings.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) lti_typename or (2) lti_toolurl parameter. | 4.3 |
| 2012-07-23 | CVE-2012-3388 | Permissions, Privileges, and Access Controls vulnerability in Moodle The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. | 4.0 |
| 2012-07-23 | CVE-2012-3387 | Permissions, Privileges, and Access Controls vulnerability in Moodle 2.3.0 Moodle 2.3.x before 2.3.1 uses only a client-side check for whether references are permitted in a file upload, which allows remote authenticated users to bypass intended alias (aka shortcut) restrictions via a client that omits this check. | 4.0 |
| 2012-07-21 | CVE-2012-2367 | Permissions, Privileges, and Access Controls vulnerability in Moodle Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/calendar:manageownentries capability requirement and add a calendar entry via a New Entry action. | 4.0 |
| 2012-07-21 | CVE-2012-2366 | Unspecified vulnerability in Moodle mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not properly iterate through an array, which allows remote authenticated users to overwrite arbitrary database activity presets via unspecified vectors. | 5.5 |
| 2012-07-21 | CVE-2012-2363 | SQL Injection vulnerability in Moodle SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event. | 6.5 |
| 2012-07-21 | CVE-2012-2358 | Permissions, Privileges, and Access Controls vulnerability in Moodle Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist. | 5.5 |
| 2012-07-21 | CVE-2012-2356 | Permissions, Privileges, and Access Controls vulnerability in Moodle The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass intended capability requirements and save questions via a save_question action. | 4.0 |
| 2012-07-21 | CVE-2012-2355 | Permissions, Privileges, and Access Controls vulnerability in Moodle Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass question:use* capability requirements and add arbitrary questions to a quiz via the questions feature. | 4.0 |