Moodle does not properly restrict comment capabilities

Moodle LTI module reflected XSS risk

In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.

Moodle allows attackers to bypass file-management restrictions

Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.

Moodle Open Redirect Vulnerability

Cross site-scripting (XSS) moodle

Moodle stored Cross-site Scripting

Moodle Users could elevate their role when accessing the LTI tool on a provider site

Moodle Exposure of Sensitive Information to an Unauthorized Actor

Moodle allows attackers to modify the visibility of a badge

Moodle Improper Access Control vulnerability

Moodle cross-site request forgery (CSRF) vulnerability

CRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in Moodle before 1.6.2 might allow remote attackers to inject arbitrary web script or HTML via (1) the choose parameter in files/index.php and (2) the sub parameter in doc/index.php.

Moodle vulnerable to Cross-site Scripting

The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction.

Moodle exposes hidden grades to students

Moodle XSS Vulnerability

Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL.