Moodle — система управления образовательными электронными курсами

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Уязвимость виртуальной обучающей среды Moodle, связанная с некорректным управлением сеансом, позволяющая нарушителю перехватить сеанс пользователя

Moodle allows IDOR when accessing the cohorts report

Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository

Moodle's mod_data edit/delete pages pass CSRF token in GET parameter

Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository

Moodle has reflected Cross-site Scripting risk in policy tool

Moodle has a CSRF risk in user tours manager that allows tour duplication

Moodle allows IDOR in RSS block, which allows access to additional RSS feeds