Moodle — система управления образовательными электронными курсами
Релизный цикл, информация об уязвимостях
График релизов
Количество 2 577
GHSA-x6xq-cgc6-h2fq
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role.
GHSA-xr24-jp5c-6c4v
Moodle reveals absolute path in exception message
GHSA-fx5h-3786-h2w6
PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests
GHSA-p239-x7hg-j3w6
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed.
GHSA-pgp5-rcwp-qvfg
Moodle includes the WebDAV password in the configuration form
GHSA-8r7x-qq55-74v2
Moodle does not enforce the forceloginforprofiles setting
GHSA-qv3v-qfq2-p7vh
lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI.
GHSA-8p2c-fgqv-ch4v
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php.
GHSA-227w-xh58-rx2j
Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages.
GHSA-wfmm-xq3h-78xx
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-x6xq-cgc6-h2fq mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role. | 0% Низкий | больше 3 лет назад | |
| GHSA-xr24-jp5c-6c4v Moodle reveals absolute path in exception message | 0% Низкий | больше 3 лет назад | |
| GHSA-fx5h-3786-h2w6 PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests | 1% Низкий | больше 3 лет назад | |
| GHSA-p239-x7hg-j3w6 blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. | 0% Низкий | больше 3 лет назад | |
| GHSA-pgp5-rcwp-qvfg Moodle includes the WebDAV password in the configuration form | 0% Низкий | больше 3 лет назад | |
| GHSA-8r7x-qq55-74v2 Moodle does not enforce the forceloginforprofiles setting | 0% Низкий | больше 3 лет назад | |
| GHSA-qv3v-qfq2-p7vh lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI. | 0% Низкий | больше 3 лет назад | |
| GHSA-8p2c-fgqv-ch4v Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php. | 0% Низкий | больше 3 лет назад | |
| GHSA-227w-xh58-rx2j Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages. | 0% Низкий | больше 3 лет назад | |
| GHSA-wfmm-xq3h-78xx grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. | 0% Низкий | больше 3 лет назад |
Уязвимостей на страницу