Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-6g5x-h5x7-q4mq: Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

ghsa
Open in Source
#vulnerability#web#git
GHSA-c8v6-vxhf-wcrr: Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

GHSA-m367-445c-2xqr: Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

GHSA-88xj-97gf-7wpq: Moodle has a CSRF risk in user tours manager that allows tour duplication

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

GHSA-cpm7-mv33-jwf8: Moodle's AJAX section delete does not respect course_can_delete_section()

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

GHSA-chmf-m33p-ph8m: Moodle allows IDOR in RSS block, which allows access to additional RSS feeds

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

GHSA-345q-9jmq-g9q4: Moodle allows unauthenticated REST API user data exposure

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites where PHP is configured with zend.exception_ignore_args = 'On' or zend.exception_ignore_args = 1 in the relevant php.ini file are NOT affected by this vulnerability. Sites that do not have the zend.exception_ignore_args setting enabled and are using the internal Moodle LMS authentication system are affected by this vulnerability.

GHSA-69m9-rprc-2x7g: Moodle reveals student identities through assignment submissions search on anonymous submissions

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.

GHSA-qhc7-xhc2-7p7w: Moodle self enrollment available before completing second factor with MFA enabled

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

GHSA-x45j-jq9q-gf3q: Moodle makes some user data available before completing second factor with MFA enabled

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).