Moodle ≫ Moodle

An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.

A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions. Unauthenticated users can trigger custom messages to admin via paypal enrol script. Paypal IPN callback script should only send error...

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

Moodle 3.x has Server Side Request Forgery in the filepicker.

In Moodle 3.x, the setting for blocked hosts list can be bypassed with multiple A record hostnames.

In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.

In Moodle 3.x, there is XSS via a calendar event name.

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and gu...

Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.