Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies.

CVSS: 6.1 · CWE: CWE-79

View on NVD

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editel…

CVSS: 9.6 · CWE: CWE-639

View on NVD

A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.

CVSS: 6.5 · CWE: CWE-400

View on NVD

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges…

CVSS: 7.2 · CWE: CWE-78

View on NVD

A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result…

CVSS: 7.2 · CWE: CWE-94

View on NVD

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.

CVSS: 4.3 · CWE: CWE-201

View on NVD

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.

CVSS: 5.4 · CWE: CWE-863

View on NVD

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.

CVSS: 7.5 · CWE: CWE-307

View on NVD

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.

CVSS: 3.5 · CWE: CWE-601

View on NVD

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

CVSS: 6.1 · CWE: CWE-1236

View on NVD

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or lea…

CVSS: 7.3 · CWE: CWE-79

View on NVD

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

CVSS: 7.3 · CWE: CWE-79

View on NVD

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who s…

CVSS: 8.1 · CWE: CWE-280

View on NVD

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.

CVSS: 8.8 · CWE: CWE-94

View on NVD

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.

CVSS: 7.2 · CWE: CWE-79

View on NVD

An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.

CVSS: 5.4 · CWE: CWE-285

View on NVD

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.

CVSS: 4.3 · CWE: CWE-200

View on NVD

Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.

CVSS: 7.5 · CWE: CWE-307

View on NVD

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

CVSS: 5.3 · CWE: CWE-548

View on NVD

Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.

CVSS: 4.3 · CWE: CWE-863

View on NVD

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

CVSS: 8.9 · CWE: CWE-79

View on NVD

Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrat…

CVSS: 4.3 · CWE: CWE-639

View on NVD

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary JavaScript payloads into a comment. When any other user (Student, Teacher, or Admin) views the annotated PDF, the payload is executed in their browser, leading to session hijacking, credential theft, or…

CVSS: 5.4 · CWE: CWE-79

View on NVD

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases pag…

CVSS: 4.2 · CWE: CWE-384

View on NVD

A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or m…

CVSS: 6.1 · CWE: CWE-79

View on NVD

A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication an…

CVSS: 7.5 · CWE: CWE-22

View on NVD

A vulnerability classified as problematic was found in Catalyst User Key Authentication Plugin 20220819 on Moodle. Affected by this vulnerability is an unknown functionality of the file /auth/userkey/logout.php of the component Logout. The manipulation of the argument return leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.…

CVSS: 4.3 · CWE: CWE-601

View on NVD

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

CVSS: 4.3 · CWE: CWE-863

View on NVD

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

CVSS: 4.3 · CWE: CWE-863

View on NVD

A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.

CVSS: 4.3 · CWE: CWE-863

View on NVD

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

CVSS: 5.4 · CWE: CWE-79

View on NVD

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.

CVSS: 8.8 · CWE: CWE-94

View on NVD

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

CVSS: 8.8 · CWE: CWE-94

View on NVD

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

CVSS: 4.3 · CWE: CWE-639

View on NVD

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

CVSS: 8.8 · CWE: CWE-352

View on NVD

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

CVSS: 3.1 · CWE: CWE-598

View on NVD

A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.

CVSS: 4.3 · CWE: CWE-639

View on NVD

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

CVSS: 3.5 · CWE: CWE-352

View on NVD

A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.

CVSS: 4.3 · CWE: CWE-200

View on NVD

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).

CVSS: 4.3 · CWE: CWE-287

View on NVD

A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).

CVSS: 7.1 · CWE: CWE-639

View on NVD

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

CVSS: 5.3 · CWE: CWE-862

View on NVD

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.

CVSS: 7.5 · CWE: CWE-200

View on NVD

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

CVSS: 4.3 · CWE: CWE-287

View on NVD

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

CVSS: 4.3 · CWE: CWE-284

View on NVD

A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

CVSS: 5.4 · CWE: N/A

View on NVD

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

CVSS: 7.5 · CWE: CWE-276

View on NVD

A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

CVSS: 6.5 · CWE: CWE-862

View on NVD

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

CVSS: 4.3 · CWE: CWE-285

View on NVD

A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.

CVSS: 4.3 · CWE: CWE-862

View on NVD

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

CVSS: 4.3 · CWE: CWE-285

View on NVD

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

CVSS: 4.3 · CWE: CWE-209

View on NVD

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

CVSS: 4.3 · CWE: CWE-200

View on NVD

A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.

CVSS: 5.4 · CWE: CWE-79

View on NVD

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

CVSS: 5.4 · CWE: CWE-79

View on NVD

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

CVSS: 5.3 · CWE: CWE-754

View on NVD

A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.

CVSS: 5.3 · CWE: CWE-863

View on NVD

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

CVSS: 5.3 · CWE: CWE-319

View on NVD

A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.

CVSS: 5.3 · CWE: CWE-276

View on NVD

A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.

CVSS: 5.3 · CWE: CWE-312

View on NVD

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.

CVSS: 3.7 · CWE: CWE-922

View on NVD

A flaw was found in moodle. A local file may include risks when restoring block backups.

CVSS: 7.5 · CWE: CWE-22

View on NVD

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

CVSS: 8.1 · CWE: CWE-22

View on NVD

A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.

CVSS: 7.5 · CWE: CWE-862

View on NVD

To address a cache poisoning risk in Moodle, additional validation for local storage was required.

CVSS: 7.7 · CWE: CWE-345

View on NVD

A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.

CVSS: 8.1 · CWE: CWE-94

View on NVD

Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.

CVSS: 6.1 · CWE: CWE-79

View on NVD

Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.

CVSS: 5.5 · CWE: CWE-79

View on NVD

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

CVSS: 7.5 · CWE: CWE-226

View on NVD

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

CVSS: 6.5 · CWE: CWE-200

View on NVD

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

CVSS: 6.5 · CWE: CWE-200

View on NVD

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

CVSS: 5.9 · CWE: CWE-200

View on NVD

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

CVSS: 6.5 · CWE: CWE-200

View on NVD

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be r…

CVSS: 5.4 · CWE: CWE-94

View on NVD

A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.

CVSS: 6.1 · CWE: CWE-79

View on NVD

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

CVSS: 6.5 · CWE: CWE-284

View on NVD

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

CVSS: 6.5 · CWE: CWE-94

View on NVD

Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not."

CVSS: 5.4 · CWE: CWE-79

View on NVD

The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible…

CVSS: 4.3 · CWE: CWE-352

View on NVD

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

CVSS: 7.5 · CWE: CWE-918

View on NVD

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

CVSS: 6.3 · CWE: CWE-89

View on NVD

Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.

CVSS: 6.1 · CWE: CWE-79

View on NVD

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer. NOTE: this is disputed by the vendor because the…

CVSS: 5.4 · CWE: CWE-79

View on NVD

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.

CVSS: 5.6 · CWE: CWE-89

View on NVD

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

CVSS: 6.5 · CWE: CWE-73

View on NVD

In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

CVSS: 4.3 · CWE: CWE-285

View on NVD

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).

CVSS: 9.8 · CWE: CWE-94

View on NVD

In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.

CVSS: 5.3 · CWE: CWE-912

View on NVD

In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

CVSS: 5.3 · CWE: CWE-20

View on NVD

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

CVSS: 4.8 · CWE: CWE-79

View on NVD

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.

CVSS: 5.3 · CWE: CWE-276

View on NVD

In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.

CVSS: 5.4 · CWE: CWE-79

View on NVD

In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.

CVSS: 5.4 · CWE: CWE-79

View on NVD

In Moodle, insufficient capability checks meant message deletions were not limited to the current user.

CVSS: 5.3 · CWE: CWE-276

View on NVD

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

CVSS: 7.5 · CWE: CWE-918

View on NVD

In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

CVSS: 7.5 · CWE: CWE-400

View on NVD

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

CVSS: 9.8 · CWE: CWE-384

View on NVD

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

CVSS: 9.8 · CWE: CWE-89

View on NVD

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

CVSS: 9.8 · CWE: CWE-89

View on NVD

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

CVSS: 8.2 · CWE: CWE-284

View on NVD