In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
CVSS Score
5.3
EPSS Score
0.012
Published
2017-01-20
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
CVSS Score
5.4
EPSS Score
0.009
Published
2017-01-20
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
CVSS Score
5.4
EPSS Score
0.01
Published
2017-01-20
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
CVSS Score
7.3
EPSS Score
0.01
Published
2017-01-20
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
CVSS Score
5.3
EPSS Score
0.012
Published
2017-01-20
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
CVSS Score
4.3
EPSS Score
0.007
Published
2017-01-20
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
CVSS Score
5.3
EPSS Score
0.012
Published
2017-01-20
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
CVSS Score
5.3
EPSS Score
0.01
Published
2017-01-20
In Moodle 3.x, there is XSS in the assignment submission page.
CVSS Score
6.1
EPSS Score
0.009
Published
2017-01-20
Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.
CVSS Score
6.1
EPSS Score
0.015
Published
2016-11-04