Known Vulnerabilities
CVE-2022-0984
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
UNKNOWN
Published Apr 29, 2022
CVE-2022-0985
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
UNKNOWN
Published Apr 29, 2022
CVE-2022-0983
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
UNKNOWN
Published Mar 25, 2022