CVE-2024-43431
- EPSS 0.46%
- Veröffentlicht 07.11.2024 14:15:15
- Zuletzt bearbeitet 01.05.2025 16:02:42
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
CVE-2024-51736
- EPSS 0.43%
- Veröffentlicht 06.11.2024 21:15:06
- Zuletzt bearbeitet 04.09.2025 16:08:00
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when prepar...
- EPSS 0.75%
- Veröffentlicht 01.07.2024 13:15:05
- Zuletzt bearbeitet 15.04.2026 00:35:42
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-37674
- EPSS 0.56%
- Veröffentlicht 20.06.2024 18:15:12
- Zuletzt bearbeitet 09.07.2026 01:19:04
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
CVE-2024-38276
- EPSS 0.46%
- Veröffentlicht 18.06.2024 20:15:14
- Zuletzt bearbeitet 26.03.2025 14:15:31
Incorrect CSRF token checks resulted in multiple CSRF risks.
CVE-2024-38277
- EPSS 0.24%
- Veröffentlicht 18.06.2024 20:15:14
- Zuletzt bearbeitet 07.08.2025 17:24:28
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
CVE-2024-38273
- EPSS 0.43%
- Veröffentlicht 18.06.2024 20:15:13
- Zuletzt bearbeitet 07.08.2025 16:43:09
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
CVE-2024-38274
- EPSS 0.37%
- Veröffentlicht 18.06.2024 20:15:13
- Zuletzt bearbeitet 07.08.2025 17:23:59
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
CVE-2024-38275
- EPSS 0.45%
- Veröffentlicht 18.06.2024 20:15:13
- Zuletzt bearbeitet 30.04.2025 23:35:59
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
CVE-2024-34002
- EPSS 0.48%
- Veröffentlicht 31.05.2024 21:15:09
- Zuletzt bearbeitet 01.05.2025 15:39:00
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local fi...