Components
Vulnerabilities
Pricing
MCP
Docs
Sign up
Login
moodle/moodle v2.5.2 | Vulnerabilities | Sonatype Guide
composer
moodle
moodle
v2.5.2
moodle v2.5.2
moodle
Published
Sep 7, 2013
•
Policy
compliance
composer Registry
Developer Trust Score
N/A
Recommended Version:
x.y.z
Best
Latest version with 0 known vulnerabilities that meets your policy.
Compare Versions
Overview
Overview
Versions
434
Versions
434
Vulnerabilities
265
Vulnerabilities
265
Dependencies
0
Dependencies
0
Reset filters
Severity
Critical
(0)
High
(0)
Medium
(200)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
6.5
CVE-2026-26047
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
affected
Severity
Medium
Published
Feb 23, 2026
6.1
CVE-2025-67849
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.
affected
Severity
Medium
Published
Feb 6, 2026
5.3
CVE-2025-67857
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure.
affected
Severity
Medium
Published
Feb 4, 2026
6.1
CVE-2025-67852
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure.
affected
Severity
Medium
Published
Feb 4, 2026
6.1
CVE-2025-67850
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.
affected
Severity
Medium
Published
Feb 4, 2026
6.1
CVE-2025-67855
A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.
affected
Severity
Medium
Published
Feb 4, 2026
6.5
CVE-2025-62400
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.
affected
Severity
Medium
Published
Oct 24, 2025
6.1
CVE-2025-26529
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
affected
Severity
Medium
Published
Aug 12, 2025
5.3
CVE-2025-32045
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.
affected
Severity
Medium
Published
Apr 28, 2025
4.3
CVE-2025-3634
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
affected
Severity
Medium
Published
Apr 23, 2025
4.3
CVE-2025-3636
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
affected
Severity
Medium
Published
Apr 23, 2025
4.3
CVE-2025-3640
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.
affected
Severity
Medium
Published
Apr 23, 2025
5.4
CVE-2025-3643
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
affected
Severity
Medium
Published
Apr 23, 2025
4.3
CVE-2025-3644
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
affected
Severity
Medium
Published
Apr 23, 2025
4.3
CVE-2025-3645
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
affected
Severity
Medium
Published
Apr 23, 2025
4.3
CVE-2025-3647
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
affected
Severity
Medium
Published
Apr 23, 2025
6.5
CVE-2025-26526
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.
affected
Severity
Medium
Published
Feb 26, 2025
5.3
CVE-2025-26527
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
affected
Severity
Medium
Published
Feb 26, 2025
4.3
CVE-2025-26532
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
affected
Severity
Medium
Published
Feb 26, 2025
5.3
CVE-2025-26531
Insufficient capability checks made it possible to disable badges a user does not have permission to access.
affected
Severity
Medium
Published
Feb 25, 2025
6.1
CVE-2025-26528
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
affected
Severity
Medium
Published
Feb 25, 2025
5.3
CVE-2024-55643
moodle - Incorrect Authorization
affected
Severity
Medium
Published
Dec 17, 2024
5.3
CVE-2024-45690
A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.
affected
Severity
Medium
Published
Nov 21, 2024
6.3
CVE-2024-45691
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.
affected
Severity
Medium
Published
Nov 21, 2024
6.5
CVE-2024-45689
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
affected
Severity
Medium
Published
Nov 21, 2024
1-25 of 200
