nvd,anchore_overrides
Moodle
Vulnerabilities
630
Known exploited
0
Critical
27
High
95
Top vulnerabilities
CVE-2019-3809A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.
CVE-2006-4936Moodle before 1.6.2 does not properly validate the module instance id when creating a course module object, which has unspecified impact and remote attack vectors.
CVE-2006-4935The Database module in Moodle before 1.6.2 does not properly handle uploaded files, which has unspecified impact and remote attack vectors.
CVE-2005-2247Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.
CVE-2004-2237Unknown vulnerability in Moodle before 1.3.4 has unknown impact and attack vectors, related to "strings in Moodle texts."
CVE-2004-2236Unknown vulnerability in Moodle before 1.3.3 has unknown impact and attack vectors, related to language setting.
CVE-2004-2235Unknown vulnerability in Moodle before 1.2 has unknown impact and attack vectors, related to improper filtering of text.
CVE-2004-2233Unknown "front page vulnerability with Moodle servers" for Moodle before 1.3.2 has unknown impact and attack vectors.
CVE-2025-67856A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.
CVE-2025-26533An SQL injection risk was identified in the module list filter within course search.
CVE-2024-33999The referrer URL used by MFA required additional sanitizing, rather than being used directly.
CVE-2023-5550In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
CVE-2023-28333The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
CVE-2022-40315A limited SQL injection risk was identified in the "browse list of users" site administration page.
CVE-2022-40314A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
CVE-2022-35649The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
CVE-2022-30600A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
CVE-2022-30599A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.
CVE-2022-0332A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
CVE-2021-3943A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.
CVE-2021-36394In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
CVE-2021-36393In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
CVE-2021-36392In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
CVE-2017-2641In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
CVE-2022-45152A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.