Vulnerabilities

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.

A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.

A flaw was found in moodle. A local file may include risks when restoring block backups.

A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.

A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Incorrect CSRF token checks resulted in multiple CSRF risks.

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

The URL parameters accepted by forum search were not limited to the allowed parameters.

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

Authenticated users were able to enumerate other users' names via the learning plans page.

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.

Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results

Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

Moodle before 2.2.2: Overview report allows users to see hidden courses

Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default

Moodle before 2.2.2 has users' private files included in course backups

Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.

Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to

A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.