Moodle — система управления образовательными электронными курсами

Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header.

Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x ...

mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading.

mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2 ...

Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response.

Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics ...

login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token.

login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x bef ...

tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature.

tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before ...