GHSA-GMHR-6F43-7QPJ Moodle does not properly implement group-based access restrictions

The coreenrolgetenrolledusers web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant...

GHSA-FR9M-PJMM-QX9F Moodle allows attackers to obtain sensitive calendar-event information

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request...

Cross-site Scripting (XSS)

Moodle is vulnerable to cross-site scripting XSS attacks. Authenticated attackers can inject web script and HTML into the application through the externalformattext function in lib/externallib.php...

Unauthorised Metadata Modification

Moodle is vulnerable to unauthorised metadata modification. The vulnerability exists due to a flaw in mod/assign/externallib.php which does not filter the function parameters, allowing modification of the grade metadata information...

CVE-2016-2156

The CVE-2016-2156 vulnerability affects Moodle versions up to 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, where calendar-event data can be exposed via web-service requests because hidden activities are not honored. This could allow remote authenti...

CVE-2015-0215

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request...

CVE-2015-0215

This CVE concerns Moodle: calendar/externallib.php in Moodle versions up to 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request. The underlying issue is an information-disclosure vulnerability in the calendar web-service interface (ext...

CVE-2015-0214

CVE-2015-0214 affects Moodle components including message/externallib.php. The vulnerability allows remote authenticated users to bypass a messaging-disabled setting via a web-services request (demonstrated by a people-search request). Affected versions include Moodle 2.5.9 and 2.6.x before 2.6.7...

CVE-2015-3178

CVE-2015-3178 affects Moodle: the external_format_text function in lib/externallib.php is vulnerable in Moodle 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6. The issue allows remote authenticated users to inject arbitrary web script/HTML into an external application via a...

CVE-2015-0214

message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request...

CVE-2015-0215

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request...