Search CVE reports

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script...

In Moodle 3.x, there is XSS via a calendar event name.

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

Moodle 3.x has Server Side Request Forgery in the filepicker.

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This...

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.