Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Moodle Private files uploaded via incoming mail processing could bypass quota restrictions

Moodle allows users to retrieve information they did not have permission to access

Moodle Cross-site Scripting vulnerability

Moodle Session Fixation vulnerability

Moodle cross-site scripting (XSS) vulnerability

Moodle places a session key in a URL

Moodle does not force password changes for autosubscribed users

lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field.

Moodle Open Redirect Via Error Messages

Moodle has reflected Cross-site Scripting risk in policy tool

Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results

Moodle multiple cross-site scripting (XSS) vulnerabilities

Moodle Setting for blocked hosts list can be bypassed with multiple A record hostnames

Moodle cross-site request forgery (CSRF) vulnerability

mnet/xmlrpc/client.php in MNET in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not properly process the return value of the openssl_verify function, which allows remote attackers to bypass validation via a crafted certificate.

Moodle sensitive information disclosure

Moodle reflected XSS via H5P error message

Cross-site scripting (XSS) vulnerability in post.php in Moodle before 1.3 allows remote attackers to inject arbitrary web script or HTML via the reply parameter.

Moodle vulnerable to Cross-site Scripting