| CVE-2014-7832 |
|
Medium |
Nov 24, 2014 |
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control a
more...
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
less...
|
2.5.5, 2.4.9, 2.6.2, 2.6.1, 2.4.8, 2.5.4, 2.3.11, 2.5.3, 2.3.10, 2.4.7
|
| CVE-2014-7831 |
|
Medium |
Nov 24, 2014 |
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades,
more...
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.
less...
|
2.5.5, 2.4.9, 2.6.2, 2.6.1, 2.4.8, 2.5.4, 2.3.11, 2.5.3, 2.3.10, 2.4.7
|
| CVE-2014-7830 |
|
Low |
Nov 24, 2014 |
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x befor
more...
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter.
less...
|
2.5.5, 2.4.9, 2.6.2, 2.6.1, 2.4.8, 2.5.4, 2.3.11, 2.5.3, 2.3.10, 2.4.7
|
| CVE-2014-3617 |
|
Medium |
Sep 15, 2014 |
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7
more...
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.
less...
|
2.5.5, 2.4.9, 2.6.2, 2.6.1, 2.4.8, 2.5.4, 2.3.11, 2.5.3, 2.3.10, 2.4.7
|
| CVE-2014-3553 |
|
Medium |
Jul 29, 2014 |
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not
more...
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
less...
|
2.5.5, 2.6.2, 2.4.9, 2.4.8, 2.6.1, 2.3.11, 2.5.4, 2.4.7, 2.5.3, 2.3.10
|
| CVE-2014-3552 |
|
Medium |
Jul 29, 2014 |
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check
more...
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction.
less...
|
2.4.9, 2.5.5, 2.5.4, 2.4.8, 2.3.11, 2.5.3, 2.3.10, 2.4.7, 2.5.2, 2.3.9
|
| CVE-2014-3551 |
|
Low |
Jul 29, 2014 |
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before
more...
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.
less...
|
2.5.5, 2.6.2, 2.4.9, 2.4.8, 2.6.1, 2.3.11, 2.5.4, 2.4.7, 2.5.3, 2.3.10
|
| CVE-2014-3548 |
|
Medium |
Jul 29, 2014 |
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x be
more...
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog.
less...
|
2.5.5, 2.6.2, 2.4.9, 2.4.8, 2.6.1, 2.3.11, 2.5.4, 2.4.7, 2.5.3, 2.3.10
|
| CVE-2014-3547 |
|
Medium |
Jul 29, 2014 |
Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 all
more...
Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge.
less...
|
2.6.2, 2.5.5, 2.5.4, 2.6.1, 2.5.3, 2.5.2, 2.5.1
|
| CVE-2014-3546 |
|
Medium |
Jul 29, 2014 |
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirem
more...
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.
less...
|
2.5.5, 2.6.2, 2.4.9, 2.4.8, 2.6.1, 2.3.11, 2.5.4, 2.4.7, 2.5.3, 2.3.10
|
