ROS-20221013-02

The vulnerability in the Moodle course management system is related to the fact that the H5P attempted action report does not
group permissions are not taken into account when displaying to non-editing teachers information about attempts/users in groups to which they should not have access.
about attempts/users in groups to which they should not have access. Exploitation of the vulnerability
Could allow an attacker acting remotely to gain access to sensitive information

A vulnerability in the Moodle course management system is related to insecure input validation when restoring
backup files. Exploitation of the vulnerability could allow an attacker acting remotely to
trick a victim into restoring a website from a corrupted backup and executing arbitrary
code on the target system

A vulnerability in the Moodle course management system is related to an input validation error when importing lesson questions
lesson. Exploitation of the vulnerability could allow an attacker acting remotely to send a customized
crafted HTTP request and read arbitrary files on the system

A vulnerability in the Moodle course management system is related to improper cleansing of user data in the
automatic login function from mobile devices. Exploitation of the vulnerability could allow
an attacker acting remotely to create a link leading to a trusted website, but when clicked, the
the victim is redirected to an arbitrary domain

A vulnerability in the Moodle course management system is related to insufficient cleansing of user data in the
Mustache template helpers. Exploitation of the vulnerability could allow an attacker acting remotely,
cause a victim to click on a specially crafted link and execute arbitrary HTML code and script in the user’s
user’s browser in the context of a vulnerable website.

A vulnerability in the Moodle course management system is related to the ability to add a resource to an arbitrary “Topic” after a course has been created.
An arbitrary “Topic” resource, in this case a “Database” with the type “Text”, where its values “Field Name” and “Field Description” are vulnerable to storage vulnerabilities.
“Field Description” are vulnerable to cross-site scripting (XSS) storage. Exploitation of the vulnerability could
Allow a remote attacker to conduct a cross-site scripting attack

A vulnerability in the Moodle course management system is related to insufficient cleansing of user data on the
site administration page “view user list”. Exploitation of the vulnerability could
allow an attacker acting remotely to send a specially crafted request to the affected
application and execute arbitrary SQL commands on the application database

A vulnerability in the Moodle course management system is related to insufficient cleansing of user data in the
LTI module. Exploitation of the vulnerability could allow an attacker acting remotely to force the victim to
to click on a specially crafted link and execute arbitrary HTML code and script in the user’s browser in the context of a vulnerable website.
of the user in the context of a vulnerable website.

The vulnerability in the Moodle course management system relates to insufficient cleansing of user data in the
SCORM tracking details. Exploitation of the vulnerability could allow an attacker, acting remotely,
inject and execute arbitrary HTML code and script in a user’s browser in the context of a vulnerable website.
Web site.

The vulnerability in the Moodle course management system is related to improper input validation when analyzing code
PostScript. Exploitation of the vulnerability could allow an attacker acting remotely to transmit
specially crafted data to an application and execute arbitrary code on a system running a 9.50+ version of GhostScript.
versions of GhostScript older than 9.50.