BIT-MOODLE-2025-26526 Feedback response viewing and deletions did not respect Separate Groups mode

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities...

BIT-MOODLE-2024-34000 moodle: stored XSS in lesson overview report via user ID number

ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk...

CVE-2006-6625

Cross-site scripting XSS vulnerability in mod/forum/discuss.php in Moodle 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the navtail parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information...

Unspecified Vulnerability in Moodle

Moodle is a free e-learning software platform, also known as a course management system, learning management system or virtual learning environment. Moodle suffers from a security vulnerability that stems from the need for additional checks to ensure that users only have access to authorized grou...

GHSA-HXGG-4QWW-85PH Moodle has reflected Cross-site Scripting risk in policy tool

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting XSS risk...

PT-2025-17915

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw was found in the software, where insufficient capability checks allowed a user enrolled in a course to access certain details of other users they did not have permission to access, such...

PT-2025-14480

Name of the Vulnerable Software and Affected Versions Moodle versions up to 4.5.2 Description The issue concerns an information disclosure in the REST API. Recommendations For versions up to 4.5.2, update to a version that contains a fix for this issue...

Improper Access Control

moodle/moodle is vulnerable to Improper access control. The vulnerability is due to missing Separate Groups mode restrictions in permission checks, allowing unauthorized viewing or deletion of responses in Feedback activities...

Improper Access Control

moodle/moodle is vulnerable to Improper access control. The vulnerability is due to insufficient enforcement of security policies, allowing a privilege escalation attack due to inadequate checks ensuring trusttext is applied to restored glossary entries...

Improper Message Recipient Validation

moodle/moodle is vulnerable to Improper Message Recipient Validation. The vulnerability is due to insufficient input validation. Specifically, the system does not properly verify that the message recipients belong to the set of users returned by the non-respondents report, allowing messages to be...

CVE-2024-48900

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to...

PT-2024-27915 · Fedoraproject +2 · Fedora +2

Name of the Vulnerable Software and Affected Versions: fedoraproject fedora affected versions not specified moodle affected versions not specified Description: The issue is related to incorrect CSRF token checks, which resulted in multiple CSRF risks. There is no information available about the...

Improper Input Validation

moodle/moodle is vulnerable to Improper Input Validation. The vulnerability is due to the handling of URL parameters in the forum search functionality. An attacker can manipulate the search feature by injecting unexpected parameters, potentially leading to information disclosure or other unintend...

BIT-MOODLE-2022-40313

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load...

Moodle vulnerable to symlink attack

spell-check-logic.cgi in Moodle 1.9 before 1.9.4, 1.8 before 1.8.8, 1.7 before 1.7.7 and 1.6 before 1.6.9 allows local users to overwrite arbitrary files via a symlink attack on the 1 /tmp/spell-check-debug.log, 2 /tmp/spell-check-before, or 3 /tmp/spell-check-after temporary file...

Moodle XSS Vulnerability

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback...

GHSA-QQJV-MC2V-P7MC Moodle SSRF Vulnerability

Moodle 3.x has Server Side Request Forgery in the filepicker...

Moodle allows remote authenticated users to cause a denial of service (invalid database records)

Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service invalid database records via a series of crafted ratings operations...

Moodle allows remote attackers to obtain sensitive information from myprofile block by visiting user-context page

Moodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile aka My profile block by visiting a user-context page...

Moodle does not force password changes for autosubscribed users

admin/uploaduserform.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user...