The version of Moodle installed on the remote host is 3.9.x prior to 3.9.12, 3.10.x prior to 3.10.9 or 3.11.x prior to 3.11.5. It is, therefore, affected by multiple vulnerabilities:
An SQL injection vulnerability in the h5p activity web service responsible for fetching user attempt data. (CVE-2022-0332)
An authorization issue in the calendar:manageentries capability allowing managers to access or modify any calendar event. (CVE-2022-0333)
An authorization issue allowing users to access their grade report for courses where they did not have the required gradereport/user:view capability. (CVE-2022-0334)
A Cross-Site Request Forgery (CSRF) vulnerability due to the lack of token check in the ‘delete badge alignment’ functionality. (CVE-2022-0335)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.
No source data
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0333
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0334
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0335
moodle.org/mod/forum/discuss.php?d=431099#p1734813
moodle.org/mod/forum/discuss.php?d=431100#p1734814
moodle.org/mod/forum/discuss.php?d=431102#p1734816
moodle.org/mod/forum/discuss.php?d=431103#p1734817