Moodle has insufficient access control

Moodle Blind SSRF Risk in /badges/mybackpack.php

Moodle Improper Privilege Management

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

Moodle cross-site scripting (XSS) vulnerability

admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to gain privileges by leveraging the teacher role and modifying their own capabilities, as demonstrated by obtaining the backup:userinfo capability.

Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.

Moodle Authenticated LFI risk in some misconfigured shared hosting environments

Improper Access Control in moodle

Moodle Open Redirect in Calendar Set Page

Moodle Allows Modification of Constants

Moodle has a Hidden Functionality vulnerability

Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Moodle Private files uploaded via incoming mail processing could bypass quota restrictions

Moodle allows users to retrieve information they did not have permission to access

Moodle Cross-site Scripting vulnerability

Moodle Session Fixation vulnerability

Moodle cross-site scripting (XSS) vulnerability

Moodle places a session key in a URL

Moodle does not force password changes for autosubscribed users