The version of Moodle installed on the remote host is 3.9.x prior to 3.9.14, 3.10.x prior to 3.10.11, 3.11.x prior to 3.11.7 or 4.0.x prior to 4.0.1. It is, therefore, affected by multiple vulnerabilities:
A stored Cross-Site Scripting (XSS) vulnerability in ID numbers displayed when bulk allocating markers to assignments. (CVE-2022-30596)
An improper handling of the description user field which is not hidden when being set as a hidden user field. (CVE-2022-30597)
An information disclosure in the global search results which could include author information on some activities where a user may not otherwise have access to it. (CVE-2022-30598)
An SQL injection in badges code relating to configuring criteria available to site administrators. (CVE-2022-30599)
A bypass in the account lockout treshold due to an issue in the logic used to count failed login attempts. (CVE-2022-30600)
A vulnerable version of mlbackend python library included in Moodle.
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30596
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30597
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30598
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30600
moodle.org/mod/forum/discuss.php?d=434578#p1748722
moodle.org/mod/forum/discuss.php?d=434579#p1748723
moodle.org/mod/forum/discuss.php?d=434580#p1748724
moodle.org/mod/forum/discuss.php?d=434581#p1748725
moodle.org/mod/forum/discuss.php?d=434582#p1748726