Moodle allows remote attackers to obtain sensitive information from myprofile block by visiting user-context page

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

Moodle Exposes Sensitive User Information

Moodle Allows Unauthenticated Dropbox Access

Moodle allows attackers to bypass the mod/lti:view capability requirement

Moodle sensitive information disclosure

Moodle allows attackers to enter additional answer attempts

Moodle Authenticated LFI risk in some misconfigured shared hosting environments

Moodle Grade information disclosure in grade's external fetch functions

Moodle Reflected XSS in mod_data advanced search

lib/moodlelib.php in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle certain zero values in the password policy, which makes it easier for remote attackers to obtain access by leveraging the possible existence of user accounts that have unchangeable blank passwords.

Moodle stored Cross-site Scripting (XSS)

Moodle does not enforce the moodle/site:accessallgroups capability requirement

moodle: IDOR when fetching report schedules

Moodle open redirect vulnerability

Moodle vulnerable to Cross-Site Request Forgery

Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Moodle has a CSRF risk in Brickfield tool's analysis request action

Moodle multiple cross-site scripting (XSS) vulnerabilities

Moodle allows attackers to obtain sensitive category-detail information