Security Advisories - moodle/moodle

moodle/moodle Security Advisories for v4.0.3 (55)

[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

PKSA-kkys-npvt-jjkp CVE-2024-34002 GHSA-mm9p-xwfm-3fqf

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

PKSA-yhpg-hcpg-vd71 CVE-2024-34003 GHSA-jg4f-8w9x-jv35

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

PKSA-ypnv-pv4y-khkt CVE-2024-34004 GHSA-q3cm-ccrm-2mr6

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

PKSA-7g9b-96vb-f88b CVE-2024-34005 GHSA-r99q-hmqv-xw8w

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Unsanitized HTML in site log for config_log_created

PKSA-81r7-dyqg-4q32 CVE-2024-34006 GHSA-vvh5-7v3m-j3mj

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle CSRF risk in analytics management of models

PKSA-1bk8-gsry-b156 CVE-2024-34008 GHSA-68x5-4jg5-gjgg

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle CSRF risk in admin preset tool management of presets

PKSA-smf8-81d7-1g8y CVE-2024-34001 GHSA-gq9f-8rj4-w7jc

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting (XSS)

PKSA-44sz-9c8d-byh6 CVE-2024-34000 GHSA-8qwh-4vwv-7c5m

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle broken access control when setting calendar event type

PKSA-xxjw-syx2-dc4w CVE-2024-33996 GHSA-4qww-rxq6-x7gf

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle stored Cross-site Scripting (XSS)

PKSA-psg4-6cnq-2vpv CVE-2024-33997 GHSA-9qgq-93c7-9hm4

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting (XSS)

PKSA-1vcw-7pbp-4hc4 CVE-2024-33998 GHSA-xqhh-253w-4q5f

Affected version: <4.1.10|>=4.2.0,<4.2.7|>=4.3.0,<4.3.4

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in Moodle Chat

PKSA-dkf4-gr8b-q7z7 CVE-2024-28593 GHSA-f6mh-79vh-2hv7

Affected version: <=4.3.3

Reported by:
GitHub
[HIGH] Uncontrolled Resource Consumption in moodle

PKSA-cnq3-npb7-81gr CVE-2024-25978 GHSA-487g-3m3v-hjhq

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[MEDIUM] Improper Handling of Parameters in moodle

PKSA-8zq5-86tq-npgn CVE-2024-25979 GHSA-6vjf-48fh-vxxj

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[MEDIUM] Improper Access Control in moodle

PKSA-q882-vvk2-55y5 CVE-2024-25980 GHSA-cp8m-h777-g4p3

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[MEDIUM] Improper Access Control in moodle

PKSA-1rtr-36p9-m5t2 CVE-2024-25981 GHSA-jfrg-9hpq-9hvp

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[MEDIUM] Cross-Site Request Forgery in moodle

PKSA-ywdp-r6kr-8xch CVE-2024-25982 GHSA-7pjp-fm93-p6pj

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[LOW] Authorization Bypass in moodle

PKSA-yn3d-by8g-nzfj CVE-2024-25983 GHSA-9r26-5w88-qhp9

Affected version: <4.1.9|>=4.2.0,<4.2.6|>=4.3.0,<4.3.3

Reported by:
GitHub
[MEDIUM] Moodle Improper Access Control vulnerability

PKSA-57rb-5xt6-dhwq CVE-2024-1439 GHSA-5p2x-8427-9fgp

Affected version: <=4.2.0

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting vulnerability

PKSA-nw4f-rh34-rrdv CVE-2023-5544 GHSA-j5xf-gv89-g422

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

PKSA-qmp2-c2q6-ys9x CVE-2023-5545 GHSA-26fg-v32r-h663

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Cross-site Scripting vulnerability

PKSA-hc6s-n6ty-9y9s CVE-2023-5547 GHSA-9gqp-3g28-w9xc

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability

PKSA-7z8c-xy4p-1ctc CVE-2023-5548 GHSA-cwh2-q44x-5w3c

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Improper Access Control vulnerability

PKSA-hfk2-p537-bfvp CVE-2023-5549 GHSA-fm5h-58g2-4m3f

Affected version: <4.3.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle Code Injection vulnerability

PKSA-4qqg-7p6g-qrrf CVE-2023-5550 GHSA-5cvx-cwpx-9rjh

Affected version: <3.9.24|>=3.10.0,<3.11.17|>=4.0.0,<4.0.11|>=4.1.0,<4.1.6|>=4.2.0,<4.2.3|>=4.3.0-beta,<4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

PKSA-6cjp-j4yt-m8jy CVE-2023-5551 GHSA-jr83-8x65-xcr5

Affected version: <3.9.24|>=3.10.0,<3.11.17|>=4.0.0,<4.0.11|>=4.1.0,<4.1.6|>=4.2.0,<4.2.3|>=4.3.0-beta,<4.3.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle Code Injection vulnerability

PKSA-fmy8-x52s-r4tc CVE-2023-5539 GHSA-3xxm-3g3c-w579

Affected version: <4.3.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle Code Injection vulnerability

PKSA-9gb6-31c6-p6xb CVE-2023-5540 GHSA-w8x2-w4qr-v3x4

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Cross-site Scripting vulnerability

PKSA-71dn-fkh5-k7hn CVE-2023-5541 GHSA-28gc-4qq5-8q26

Affected version: <4.3.0-rc2

Reported by:
GitHub
[LOW] Moodle Improper Access Control vulnerability

PKSA-d458-bwfk-smkv CVE-2023-5542 GHSA-8mm2-m2gp-c6x2

Affected version: <4.3.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting vulnerability

PKSA-mc6m-hdgk-qpkp CVE-2023-5546 GHSA-9724-h8p7-r3jv

Affected version: <4.3.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle vulnerable to Cross-site Scripting

PKSA-1tyr-r2xr-8vx6 CVE-2023-35131 GHSA-fwfj-8p36-rc64

Affected version: <3.11.15|>=4.0.0,<4.0.9|>=4.1.0,<4.1.4|=4.2.0

Reported by:
GitHub
[MEDIUM] Moodle vulnerable to SQL Injection

PKSA-dhd3-j88c-2sy9 CVE-2023-35132 GHSA-49mv-vfcp-8gg9

Affected version: <3.9.22|>=3.10.0,<3.11.15|>=4.0.0,<4.0.9|>=4.1.0,<4.1.4|=4.2.0

Reported by:
GitHub
[HIGH] Moodle vulnerable to Server Side Request Forgery

PKSA-59yt-9rbk-gvyv CVE-2023-35133 GHSA-xxp4-mf4h-6cwm

Affected version: <3.9.22|>=3.10.0,<3.11.15|>=4.0.0,<4.0.9|>=4.1.0,<4.1.4|=4.2.0

Reported by:
GitHub
[MEDIUM] Moodle External Control of File Name or Path vulnerability

PKSA-tkmd-sfy5-9ntm CVE-2023-30943 GHSA-22gj-8qj2-fj46

Affected version: <4.2.0-rc2

Reported by:
GitHub
[HIGH] Moodle SQL Injection vulnerability

PKSA-vvyj-pzxn-byrt CVE-2023-30944 GHSA-7mmc-22g7-3xq2

Affected version: <4.2.0-rc2

Reported by:
GitHub
[MEDIUM] Moodle may display roles to users who don't have access to them

PKSA-mxtf-x1wg-7bp2 CVE-2023-1402 GHSA-vj5p-fp42-774p

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[HIGH] Moodle SQL Injection vulnerability

PKSA-rp95-37zp-mm24 CVE-2023-28329 GHSA-72w2-j52c-7682

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle arbitrary file read vulnerability

PKSA-mc13-1wkx-jq4t CVE-2023-28330 GHSA-56r9-72vx-q989

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle vulnerable to Cross-site Scripting

PKSA-bxtb-x3pj-rjq1 CVE-2023-28331 GHSA-77jm-f3vj-xvx2

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle vulnerable to Cross-site Scripting when algebra filter enabled but not functional

PKSA-7jf2-xyg3-8k5b CVE-2023-28332 GHSA-9f45-9qrw-pp4v

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[CRITICAL] Moodle's Mustache pix helper contained a potential Mustache injection risk if combined with user input

PKSA-55x8-drvs-2svz CVE-2023-28333 GHSA-q2x3-2f9g-h559

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle may allow authenticated users to enumerate other user's names via learning plans page

PKSA-g5h3-zwb4-389q CVE-2023-28334 GHSA-hh52-g5c4-wprh

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle may allow teachers to access the names of users they could not otherwise access

PKSA-fyrz-rtnj-32jm CVE-2023-28336 GHSA-prjm-2fj2-787f

Affected version: <3.9.20|>=3.11.0,<3.11.13|>=4.0.0,<4.0.7|>=4.1.0,<4.1.2

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting vulnerability

PKSA-j8km-3bqv-4yq3 CVE-2023-23921 GHSA-97qf-pq7x-964m

Affected version: >=4.1.0-beta,<4.1.1|>=4.0.0-beta,<4.0.6|>=3.10.0,<3.11.12|<3.9.19

Reported by:
GitHub
[MEDIUM] Moodle Cross-site Scripting vulnerability

PKSA-h963-hhjr-6jq3 CVE-2023-23922 GHSA-grmj-gpwm-98ww

Affected version: >=4.1.0-beta,<4.1.1|>=4.0.0-beta,<4.0.6

Reported by:
GitHub
[HIGH] Moodle Improper Access Control vulnerability

PKSA-9ggk-wqx1-s523 CVE-2023-23923 GHSA-32jc-9p58-p82x

Affected version: >=4.1.0-beta,<4.1.1|>=4.0.0-beta,<4.0.6|>=3.10.0,<3.11.12|<3.9.19

Reported by:
GitHub
[CRITICAL] Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library

PKSA-vvcc-hpr9-hc68 CVE-2022-45152 GHSA-xqcf-vgqc-pcmg

Affected version: >=4.0,<4.0.5|>=3.11,<3.11.11|>=3.9,<3.9.18

Reported by:
GitHub
[MEDIUM] Cross-Site Request Forgery in Moodle

PKSA-t78j-bk86-n5wb CVE-2022-45149 GHSA-8v23-w4w5-w83c

Affected version: >=4.0.0,<4.0.5|>=3.11.0,<3.11.11|>=3.9.0,<3.9.18

Reported by:
GitHub
[MEDIUM] Moodle reflected cross-site scripting vulnerability in policy tool

PKSA-s5y4-r7wb-bznw CVE-2022-45150 GHSA-6gx2-g773-hv9h

Affected version: >=4.0,<4.0.5|>=3.11,<3.11.11|>=3.9,<3.9.18

Reported by:
GitHub
[MEDIUM] Moodle stored-XSS vulnerability in some "social" user profile fields

PKSA-252k-gczv-hcwk CVE-2022-45151 GHSA-xv72-6pgh-cjj8

Affected version: >=4.0,<4.0.5|>=3.11,<3.11.11

Reported by:
GitHub
[HIGH] Moodle Stored Cross-site Scripting and page denial of service

PKSA-dhgp-ry9y-b8gx CVE-2022-40313 GHSA-jqgr-gh62-jf53

Affected version: >=4.0,<4.0.4|>=3.11,<3.11.10|>=3.9,<3.9.17

Reported by:
GitHub
[CRITICAL] Moodle remote code execution

PKSA-gn18-mdrw-79m2 CVE-2022-40314 GHSA-2hmm-q272-xmhf

Affected version: >=4.0,<4.0.4|>=3.11,<3.11.10|<3.9.17

Reported by:
GitHub
[CRITICAL] Moodle Minor SQL injection risk in admin user browsing

PKSA-rm4m-8bfs-9w2b CVE-2022-40315 GHSA-mqw9-3cjm-xwp3

Affected version: >=4.0,<4.0.4|>=3.11,<3.11.10|>=3.9,<3.9.17

Reported by:
GitHub
[MEDIUM] Moodle No groups filtering in H5P activity attempts report

PKSA-kj1m-bcy5-qfsx CVE-2022-40316 GHSA-385f-vgq7-8hhx

Affected version: >=4.0,<4.0.4|>=3.11,<3.11.10|>=3.9,<3.9.17

Reported by:
GitHub

moodle/moodle Security Advisories for v4.0.3 (55)

[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

[MEDIUM] Moodle Authenticated LFI risk in some misconfigured shared hosting environments

[MEDIUM] Moodle Unsanitized HTML in site log for config_log_created

[MEDIUM] Moodle CSRF risk in analytics management of models

[MEDIUM] Moodle CSRF risk in admin preset tool management of presets

[MEDIUM] Moodle Cross-site Scripting (XSS)

[MEDIUM] Moodle broken access control when setting calendar event type

[MEDIUM] Moodle stored Cross-site Scripting (XSS)

[MEDIUM] Moodle Cross-site Scripting (XSS)

[MEDIUM] Cross-site Scripting in Moodle Chat

[HIGH] Uncontrolled Resource Consumption in moodle

[MEDIUM] Improper Handling of Parameters in moodle

[MEDIUM] Improper Access Control in moodle

[MEDIUM] Improper Access Control in moodle

[MEDIUM] Cross-Site Request Forgery in moodle

[LOW] Authorization Bypass in moodle

[MEDIUM] Moodle Improper Access Control vulnerability

[MEDIUM] Moodle Cross-site Scripting vulnerability

[LOW] Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

[LOW] Moodle Cross-site Scripting vulnerability

[LOW] Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability

[LOW] Moodle Improper Access Control vulnerability

[MEDIUM] Moodle Code Injection vulnerability

[LOW] Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

[MEDIUM] Moodle Code Injection vulnerability

[MEDIUM] Moodle Code Injection vulnerability

[LOW] Moodle Cross-site Scripting vulnerability

[LOW] Moodle Improper Access Control vulnerability

[MEDIUM] Moodle Cross-site Scripting vulnerability

[MEDIUM] Moodle vulnerable to Cross-site Scripting

[MEDIUM] Moodle vulnerable to SQL Injection

[HIGH] Moodle vulnerable to Server Side Request Forgery

[MEDIUM] Moodle External Control of File Name or Path vulnerability

[HIGH] Moodle SQL Injection vulnerability

[MEDIUM] Moodle may display roles to users who don't have access to them

[HIGH] Moodle SQL Injection vulnerability

[MEDIUM] Moodle arbitrary file read vulnerability

[MEDIUM] Moodle vulnerable to Cross-site Scripting

[MEDIUM] Moodle vulnerable to Cross-site Scripting when algebra filter enabled but not functional

[CRITICAL] Moodle's Mustache pix helper contained a potential Mustache injection risk if combined with user input

[MEDIUM] Moodle may allow authenticated users to enumerate other user's names via learning plans page

[MEDIUM] Moodle may allow teachers to access the names of users they could not otherwise access

[MEDIUM] Moodle Cross-site Scripting vulnerability

[MEDIUM] Moodle Cross-site Scripting vulnerability

[HIGH] Moodle Improper Access Control vulnerability

[CRITICAL] Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library

[MEDIUM] Cross-Site Request Forgery in Moodle

[MEDIUM] Moodle reflected cross-site scripting vulnerability in policy tool

[MEDIUM] Moodle stored-XSS vulnerability in some "social" user profile fields

[HIGH] Moodle Stored Cross-site Scripting and page denial of service

[CRITICAL] Moodle remote code execution

[CRITICAL] Moodle Minor SQL injection risk in admin user browsing

[MEDIUM] Moodle No groups filtering in H5P activity attempts report