Cross-site scripting (XSS) vulnerability in repository/lib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 allows remote authenticated administrators to inject arbitrary web script or HTML by renaming a repository.

Moodle XSS Vulnerability

Moodle External function mod_assign_save_submission does not check due dates

Moodle allows teachers to evade trusttext config when restoring glossary entries

Moodle does not provide charset information in HTTP headers

Moodle Arbitrary File Read via Backup Functionality

Moodle leaks user names

Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.

Moodle's AJAX section delete does not respect course_can_delete_section()

Improper Access Control in moodle

Moodle XSS Vulnerability

Moodle allows attackers to extract archives to arbitrary directories

Moodle Incorrect sanitation of attributes in forums

Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the section parameter.

Moodle allows IDOR in RSS block, which allows access to additional RSS feeds

Moodle cross-site scripting (XSS) vulnerability

Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter

SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data.

Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.

Moodle's login_as feature leaks information from external repositories