mod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authenticated users to obtain the names and other details of arbitrary user accounts by searching for posts.
CVSS Score
4.0
EPSS Score
0.011
Published
2012-07-17
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote attackers to view the profile images of arbitrary user accounts via unspecified vectors.
CVSS Score
5.0
EPSS Score
0.021
Published
2012-07-17
The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution.
CVSS Score
5.0
EPSS Score
0.014
Published
2012-07-17
The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.
CVSS Score
6.4
EPSS Score
0.024
Published
2012-07-16
The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.
CVSS Score
5.8
EPSS Score
0.015
Published
2012-07-16
The moodle_enrol_external:role_assign function in enrol/externallib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not have an authorization check, which allows remote authenticated users to gain privileges by making a role assignment.
CVSS Score
6.5
EPSS Score
0.013
Published
2012-07-16
lib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 assigns incorrect capabilities to the course-creator role, which allows remote authenticated users to modify course filters by leveraging this role.
CVSS Score
5.5
EPSS Score
0.013
Published
2012-07-16
comment/lib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not properly restrict comment capabilities, which allows remote attackers to post a comment by leveraging the guest role and operating on a front-page activity.
CVSS Score
6.4
EPSS Score
0.016
Published
2012-07-16
Cross-site request forgery (CSRF) vulnerability in Moodle 1.9.x before 1.9.11 allows remote attackers to hijack the authentication of unspecified victims for requests that modify an RSS feed in an RSS block.
CVSS Score
6.8
EPSS Score
0.01
Published
2012-07-16
Cross-site scripting (XSS) vulnerability in the tag autocomplete functionality in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.018
Published
2012-07-16