Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security


DiscussionStarted byRepliesLast post
MSA-18-0016: Quiz question bank import preview could execute JavaScript 0 Michael Hawkins
Mon, 16 Jul 2018, 3:18 PM
MSA-18-0015: Web service core_course_get_categories may return invisible categories 0 Michael Hawkins
Mon, 16 Jul 2018, 3:15 PM
MSA-18-0014: Privacy data exports include log data 0 Michael Hawkins
Mon, 16 Jul 2018, 3:13 PM
MSA-18-0012: Portfolio script allows instantiation of class chosen by user 0 Marina Glancy
Fri, 25 May 2018, 1:57 PM
MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access 0 Marina Glancy
Fri, 25 May 2018, 1:56 PM
MSA-18-0010: User can shift a block from Dashboard to any page 0 Marina Glancy
Fri, 25 May 2018, 1:54 PM
MSA-18-0009: Portfolio forum caller class allows a user to download any file 0 Marina Glancy
Fri, 25 May 2018, 1:53 PM
MSA-18-0008: Users can download any file via portfolio assignment caller class 0 Marina Glancy
Fri, 25 May 2018, 1:53 PM
MSA-18-0007: Calculated question type allows remote code execution by Question authors 0 Marina Glancy
Fri, 25 May 2018, 1:51 PM
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site 0 Marina Glancy
Mon, 26 Mar 2018, 2:53 PM
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script 0 Marina Glancy
Mon, 26 Mar 2018, 2:52 PM
MSA-18-0004: XSS in calendar event name 0 Marina Glancy
Mon, 22 Jan 2018, 2:23 PM
MSA-18-0003: Privilege escalation in quiz web services 0 Marina Glancy
Mon, 22 Jan 2018, 2:22 PM
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames 0 Marina Glancy
Mon, 22 Jan 2018, 2:21 PM
MSA-18-0001: Server Side Request Forgery in the filepicker 0 Marina Glancy
Mon, 22 Jan 2018, 2:20 PM
MSA-17-0021: Students can find out email addresses of other students in the same course 0 Marina Glancy
Mon, 20 Nov 2017, 2:48 PM
MSA-17-0020: Admins may not know that exposing vendor directory is a security risk 0 Marina Glancy
Mon, 18 Sep 2017, 11:07 AM
MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course 0 Marina Glancy
Mon, 18 Sep 2017, 11:03 AM
MSA-17-0018: Course reports are not respecting group settings in courses 0 Marina Glancy
Mon, 18 Sep 2017, 11:02 AM
MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback 0 Marina Glancy
Mon, 18 Sep 2017, 11:01 AM
MSA-17-0016: Authentication bypass vulnerability with old CAS servers 0 Marina Glancy
Mon, 17 Jul 2017, 2:54 PM
MSA-17-0015: Course creators are able to change system default settings for courses 0 Marina Glancy
Mon, 17 Jul 2017, 2:53 PM
MSA-17-0014: Course overview block reveals activities in hidden courses 0 Marina Glancy
Mon, 17 Jul 2017, 2:53 PM
MSA-17-0006: User fullname disclosure on user preferences page 0 Marina Glancy
Mon, 17 Jul 2017, 2:52 PM
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services 0 Marina Glancy
Mon, 15 May 2017, 2:26 PM
MSA-17-0012: CSRF in number of courses displayed in the course overview block 0 Marina Glancy
Mon, 15 May 2017, 2:26 PM
MSA-17-0011: Searching of blogs possible without capability to do it 0 Marina Glancy
Mon, 15 May 2017, 2:25 PM
MSA-17-0010: External blog editing takeover 0 Marina Glancy
Mon, 15 May 2017, 2:25 PM
MSA-17-0009: XSS in attachments to evidence of prior learning 0 Marina Glancy
Mon, 20 Mar 2017, 1:08 PM
MSA-17-0008: XSS in evidence of prior learning 0 Marina Glancy
Mon, 20 Mar 2017, 1:07 PM
MSA-17-0007: Global search displays user names for unauthenticated users 0 Marina Glancy
Mon, 20 Mar 2017, 1:06 PM
MSA-17-0005: SQL injection via user preferences 0 Marina Glancy
Mon, 20 Mar 2017, 1:04 PM
MSA-17-0004: XSS in assignment submission page 0 Marina Glancy
Tue, 17 Jan 2017, 12:13 PM
MSA-17-0003: PHPMailer vulnerability in no-reply address 0 Marina Glancy
Tue, 17 Jan 2017, 12:12 PM
MSA-17-0002: Incorrect sanitation of attributes in forums 0 Marina Glancy
Tue, 17 Jan 2017, 12:12 PM
MSA-17-0001: System file inclusion when adding own preset file in Boost theme 0 Marina Glancy
Tue, 17 Jan 2017, 12:05 PM
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data. 0 Marina Glancy
Mon, 21 Nov 2016, 11:51 AM
MSA-16-0025: Capability to view course notes is checked in the wrong context 0 Marina Glancy
Mon, 21 Nov 2016, 11:49 AM
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services 0 Marina Glancy
Mon, 21 Nov 2016, 11:48 AM
MSA-16-0023: Question engine allows access to files that should not be available 0 Marina Glancy
Mon, 21 Nov 2016, 11:46 AM
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed 0 Marina Glancy
Mon, 12 Sep 2016, 9:58 AM
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course 0 Marina Glancy
Tue, 19 Jul 2016, 4:05 PM
MSA-16-0020: Text injection in email headers 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0019: Glossary search displays entries without checking user permissions to view them 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0018: CSRF in script marking forum posts as read 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0017: Course idnumber not protected from teacher restore 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0016: User can view badges of other users without proper permissions 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0015: Information disclosure of hidden forum names and sub-names. 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0014 0 Marina Glancy
Tue, 17 May 2016, 1:57 PM
MSA-16-0013: Users are able to change profile fields that were locked by the administrator 0 Marina Glancy
Tue, 17 May 2016, 1:55 PM
MSA-16-0012: External function mod_assign_save_submission does not check due dates 0 Marina Glancy
Mon, 21 Mar 2016, 2:14 PM
MSA-16-0011: Add no referrer to links with _blank target attribute 0 Marina Glancy
Mon, 21 Mar 2016, 2:13 PM
MSA-16-0010: Enumeration of category details possible without authentication 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0009: CSRF in Assignment plugin management page 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0006: Hidden courses are shown to students in Event Monitor 0 Marina Glancy
Mon, 21 Mar 2016, 2:10 PM
MSA-16-0005: Reflected XSS in mod_data advanced search 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0004: XSS from profile fields from external db 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list 0 Marina Glancy
Mon, 21 Mar 2016, 2:08 PM
MSA-16-0002: XSS Vulnerability in course management search 0 Marina Glancy
Mon, 18 Jan 2016, 11:50 AM
MSA-16-0001: Two enrolment-related web services don't check course visibility 0 Marina Glancy
Mon, 18 Jan 2016, 11:49 AM
MSA-15-0046: Choice module closing date can be bypassed 0 Marina Glancy
Mon, 16 Nov 2015, 12:31 PM
MSA-15-0045: SCORM module allows to bypass access restrictions based on date 0 Marina Glancy
Mon, 16 Nov 2015, 12:28 PM
MSA-15-0044: Capability to view available badges is not respected 0 Marina Glancy
Mon, 16 Nov 2015, 12:27 PM
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode 0 Marina Glancy
Mon, 16 Nov 2015, 12:25 PM
MSA-15-0042: CSRF in lesson login form 0 Marina Glancy
Mon, 16 Nov 2015, 12:22 PM
MSA-15-0041: XSS in flash video player 0 Marina Glancy
Mon, 16 Nov 2015, 12:21 PM
MSA-15-0040: Student XSS in survey 0 Marina Glancy
Mon, 16 Nov 2015, 12:20 PM
MSA-15-0039: CSRF in site registration form 0 Marina Glancy
Mon, 16 Nov 2015, 12:18 PM
MSA-15-0038: DDoS possibility in Atto 0 Marina Glancy
Mon, 16 Nov 2015, 12:15 PM
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts 0 Marina Glancy
Mon, 16 Nov 2015, 12:14 PM
MSA-15-0036: XSS in grouping description 0 Marina Glancy
Mon, 21 Sep 2015, 9:46 AM
MSA-15-0035: Rating component does not check separate groups 0 Marina Glancy
Mon, 21 Sep 2015, 9:45 AM
MSA-15-0034: Vulnerability in password recovery mechanism 0 Marina Glancy
Mon, 21 Sep 2015, 9:44 AM
MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time 0 Marina Glancy
Mon, 21 Sep 2015, 9:43 AM
MSA-15-0032: Users can delete files uploaded by other users in wiki 0 Marina Glancy
Mon, 21 Sep 2015, 9:42 AM
MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of 0 Marina Glancy
Mon, 21 Sep 2015, 9:38 AM
MSA-15-0030: Students can re-attempt answering questions in the lesson 0 Marina Glancy
Mon, 21 Sep 2015, 9:36 AM
MSA-15-0029: Javascript injection in SCORM module 0 Marina Glancy
Mon, 13 Jul 2015, 8:31 AM
MSA-15-0028: Possible XSS through custom text profile fields in Web Services 0 Marina Glancy
Mon, 13 Jul 2015, 8:29 AM
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum 0 Marina Glancy
Mon, 13 Jul 2015, 8:28 AM
MSA-15-0026: Possible phishing when redirecting to external site using referer header 0 Marina Glancy
Mon, 13 Jul 2015, 8:27 AM
MSA-15-0025: Capability to manage own files is not respected in Web Services 0 Marina Glancy
Mon, 18 May 2015, 9:05 AM
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree 0 Marina Glancy
Mon, 18 May 2015, 9:04 AM
MSA-15-0023: Suspended user is able to login when confirming email 0 Marina Glancy
Mon, 18 May 2015, 9:03 AM
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services 0 Marina Glancy
Mon, 18 May 2015, 9:02 AM
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules 0 Marina Glancy
Mon, 18 May 2015, 9:01 AM
MSA-15-0020: User fullname disclosure through account confirmation link 0 Marina Glancy
Mon, 18 May 2015, 9:00 AM
MSA-15-0019: Possible phishing when redirecting to external site using referer header 0 Marina Glancy
Mon, 18 May 2015, 8:59 AM
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that 0 Marina Glancy
Mon, 18 May 2015, 8:54 AM
MSA-15-0017: XSS in quiz statistics report 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0016: Web services token can be created for user with temporary password 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate 0 Marina Glancy
Mon, 16 Mar 2015, 11:07 AM
MSA-15-0014: Potential information disclosure for the inaccessible courses 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0013: Block title not properly escaped and may cause HTML injection 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0012: ReDoS Possible with Convert links to URLs filter 0 Marina Glancy
Mon, 16 Mar 2015, 11:05 AM
MSA-15-0011: Authentication in mdeploy can be bypassed 0 Marina Glancy
Mon, 16 Mar 2015, 11:04 AM
MSA-15-0010: Personal contacts and number of unread messages can be revealed 0 Marina Glancy
Mon, 16 Mar 2015, 11:03 AM
MSA-15-0009: Directory Traversal Attack possible through some files serving JS 0 Marina Glancy
Tue, 10 Feb 2015, 10:13 AM
MSA-15-0008: Forced logout through Shibboleth authentication plugin 0 Marina Glancy
Mon, 19 Jan 2015, 10:02 AM
MSA-15-0007: ReDoS possible in the multimedia filter 0 Marina Glancy
Mon, 19 Jan 2015, 10:01 AM
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask 0 Marina Glancy
Mon, 19 Jan 2015, 10:00 AM
MSA-15-0005: Insufficient access check in calendar functions in web-services 0 Marina Glancy
Mon, 19 Jan 2015, 9:59 AM
MSA-15-0004: Information leak through messaging functions in web-services 0 Marina Glancy
Mon, 19 Jan 2015, 9:58 AM
MSA-15-0003: CSRF possible in Glossary module 0 Marina Glancy
Mon, 19 Jan 2015, 9:56 AM
MSA-15-0002: XSS vulnerability in course request pending approval page 0 Marina Glancy
Mon, 19 Jan 2015, 9:55 AM
MSA-15-0001: Insufficient access check in LTI module 0 Marina Glancy
Mon, 19 Jan 2015, 9:52 AM
MSA-14-0049: Possible to print arbitrary message to user by modifying URL 0 Marina Glancy
Mon, 17 Nov 2014, 12:28 PM
MSA-14-0048: CSRF in forum tracking toggle 0 Marina Glancy
Mon, 17 Nov 2014, 12:27 PM
MSA-14-0047: Possible data loss in Wiki activity 0 Marina Glancy
Mon, 17 Nov 2014, 12:26 PM
MSA-14-0046: CSRF in LTI module 0 Marina Glancy
Mon, 17 Nov 2014, 12:25 PM
MSA-14-0045: XSS file upload possible through web service 0 Marina Glancy
Mon, 17 Nov 2014, 12:25 PM
MSA-14-0044: Hardware path disclosed in the error message 0 Marina Glancy
Mon, 17 Nov 2014, 12:24 PM
MSA-14-0043: Lack of group check in web service for Forum 0 Marina Glancy
Mon, 17 Nov 2014, 12:23 PM
MSA-14-0042: Lack of access check in IP lookup functionality 0 Marina Glancy
Mon, 17 Nov 2014, 12:22 PM
MSA-14-0041: Lack of capability check in tags list access 0 Marina Glancy
Mon, 17 Nov 2014, 12:21 PM
MSA-14-0040: Information leak in Database activity module 0 Marina Glancy
Mon, 17 Nov 2014, 12:10 PM
MSA-14-0039: Insufficient access check in LTI module 0 Marina Glancy
Mon, 17 Nov 2014, 12:09 PM
MSA-14-0038: Hidden grade information exposed by web services 0 Marina Glancy
Mon, 17 Nov 2014, 12:08 PM
MSA-14-0037: Weak temporary password generation 0 Marina Glancy
Mon, 17 Nov 2014, 12:07 PM
MSA-14-0036: XSS in mapcourse script in Feedback module 0 Marina Glancy
Mon, 17 Nov 2014, 10:37 AM
MSA-14-0035: Headers not added to some AJAX scripts 0 Marina Glancy
Mon, 17 Nov 2014, 10:33 AM
MSA-14-0034: Identity information revealed early in Q&A forum 0 Michael de Raadt
Mon, 15 Sep 2014, 8:29 AM
MSA-14-0033: URL parameter injection in CAS authentication 0 Michael de Raadt
Mon, 15 Sep 2014, 8:28 AM
MSA-14-0032: Cross-site scripting in advanced grading methods 0 Michael de Raadt
Mon, 21 Jul 2014, 4:00 PM
MSA-14-0031: Cross-site scripting though scheduled task error messages 0 Michael de Raadt
Mon, 21 Jul 2014, 4:00 PM
MSA-14-0030: Cross-site scripting through logs of failed logins 0 Michael de Raadt
Mon, 21 Jul 2014, 3:59 PM
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues 0 Michael de Raadt
Mon, 21 Jul 2014, 3:58 PM
MSA-14-0028: Cross-site scripting possible in external badges 0 Michael de Raadt
Mon, 21 Jul 2014, 9:56 AM
MSA-14-0027: Forum group posting issue 0 Michael de Raadt
Mon, 21 Jul 2014, 9:55 AM
MSA-14-0026: Information leak in profile and notes pages 0 Michael de Raadt
Mon, 21 Jul 2014, 9:52 AM
MSA-14-0025: Remote code execution in Quiz 0 Michael de Raadt
Mon, 21 Jul 2014, 9:51 AM
MSA-14-0024: Cross-site scripting vulnerability in profile field 0 Michael de Raadt
Mon, 21 Jul 2014, 9:48 AM
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP 0 Michael de Raadt
Mon, 21 Jul 2014, 9:45 AM
MSA-14-0022: XML External Entity vulnerability in LTI module 0 Michael de Raadt
Mon, 21 Jul 2014, 9:43 AM
MSA-14-0021: Code injection in Repositories 0 Michael de Raadt
Mon, 21 Jul 2014, 9:42 AM
MSA-14-0020: Identity confusion in Shibboleth authentication 0 Michael de Raadt
Mon, 21 Jul 2014, 9:40 AM
MSA-14-0019: Reflected XSS in URL downloader repository 0 Michael de Raadt
Mon, 19 May 2014, 9:31 AM
MSA-14-0018: Information leak in courses 0 Michael de Raadt
Mon, 19 May 2014, 9:29 AM
MSA-14-0017: File access issue in HTML block 0 Michael de Raadt
Mon, 19 May 2014, 9:27 AM
MSA-14-0016: Anonymous student identity revealed in assignment 0 Michael de Raadt
Mon, 19 May 2014, 9:26 AM
MSA-14-0015: Web service token expiry issue for MoodleMobile 0 Michael de Raadt
Mon, 19 May 2014, 9:24 AM
MSA-14-0014: Cross-site request forgery possible in Assignment 0 Michael de Raadt
Mon, 19 May 2014, 9:22 AM
MSA-14-0013: Unfiltered data used in Assignment web services 0 Michael de Raadt
Mon, 24 Mar 2014, 8:52 AM
MSA-14-0008: Cross site scripting potential in Flowplayer 0 Michael de Raadt
Mon, 24 Mar 2014, 8:51 AM
MSA-14-0004: Incorrect filtering in Quiz 0 Michael de Raadt
Mon, 24 Mar 2014, 8:51 AM
MSA-14-0012: Access issue in Badges 0 Michael de Raadt
Mon, 17 Mar 2014, 9:52 AM
MSA-14-0011: Cross site request forgery potential in IMS enrolments 0 Michael de Raadt
Mon, 17 Mar 2014, 9:51 AM
MSA-14-0010: Identity information leak in Alfresco Repository 0 Michael de Raadt
Mon, 17 Mar 2014, 9:48 AM
MSA-14-0009: Identity information leak in Forum and Quiz 0 Michael de Raadt
Mon, 17 Mar 2014, 9:47 AM
MSA-14-0007: Access issue in Wiki 0 Michael de Raadt
Mon, 17 Mar 2014, 9:43 AM
MSA-14-0006: Capability issue in Chat 0 Michael de Raadt
Mon, 17 Mar 2014, 9:40 AM
MSA-14-0005: Access issue in Feedback activity 0 Michael de Raadt
Mon, 17 Mar 2014, 9:39 AM
MSA-14-0003: Cross-site request forgery vulnerability in profile fields 0 Michael de Raadt
Mon, 17 Mar 2014, 9:36 AM
MSA-14-0002: Group constraints lacking in "login as" 0 Michael de Raadt
Mon, 20 Jan 2014, 8:49 AM
MSA-14-0001: Config passwords visibility issue 0 Michael de Raadt
Mon, 20 Jan 2014, 8:48 AM
MSA-13-0040: Cross site scripting vulnerability in YUI library 0 Michael de Raadt
Mon, 25 Nov 2013, 8:44 AM
MSA-13-0039: Cross site scripting in Quiz 0 Michael de Raadt
Mon, 25 Nov 2013, 8:35 AM
MSA-13-0038: Access to server files through repository 0 Michael de Raadt
Mon, 25 Nov 2013, 8:33 AM
MSA-13-0037: Cross site scripting in Messages 0 Michael de Raadt
Mon, 25 Nov 2013, 8:31 AM
MSA-13-0036: Incorrect headers sent for secured resources 0 Michael de Raadt
Mon, 25 Nov 2013, 8:29 AM
MSA-13-0035: Inadequate filtering in Blog 0 Michael de Raadt
Mon, 23 Sep 2013, 4:17 PM
MSA-13-0034: Object injection through Badges 0 Michael de Raadt
Mon, 23 Sep 2013, 4:17 PM
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver 0 Michael de Raadt
Mon, 16 Sep 2013, 9:38 AM
MSA-13-0032: Host verification failure in Amazon S3 repository 0 Michael de Raadt
Mon, 16 Sep 2013, 9:36 AM
MSA-13-0031: Personal information leak in Feedback activity 0 Michael de Raadt
Mon, 15 Jul 2013, 9:29 AM
MSA-13-0030: Information leak through RSS 0 Michael de Raadt
Mon, 15 Jul 2013, 9:26 AM
MSA-13-0029: XSS risk in conditional activities 0 Michael de Raadt
Mon, 15 Jul 2013, 9:24 AM
MSA-13-0028: Answer information revealed in Lesson activity 0 Michael de Raadt
Mon, 15 Jul 2013, 9:22 AM
MSA-13-0027: Access issue in Chat module 0 Michael de Raadt
Mon, 15 Jul 2013, 9:19 AM
MSA-13-0026: Personal information leak in IMS-LTI 0 Michael de Raadt
Mon, 15 Jul 2013, 9:19 AM
MSA-13-0025: XSS vulnerability in YUI library 0 Michael de Raadt
Mon, 15 Jul 2013, 9:08 AM
MSA-13-0024: Form filtering issue 0 Michael de Raadt
Tue, 21 May 2013, 8:13 AM
MSA-13-0023: Permission issue in blog comments 0 Michael de Raadt
Tue, 21 May 2013, 8:11 AM
MSA-13-0022: Information leak in hub registration 0 Michael de Raadt
Tue, 21 May 2013, 8:09 AM
MSA-13-0021: Potential information leak in Gradebook 0 Michael de Raadt
Tue, 21 May 2013, 8:06 AM
MSA-13-0020: Capability issue in Assignment 0 Michael de Raadt
Tue, 21 May 2013, 8:01 AM
MSA-13-0019: Unauthorised settings editing through WebDav repository 0 Michael de Raadt
Mon, 25 Mar 2013, 1:49 PM
MSA-13-0018: Personal information leak through repositories 0 Michael de Raadt
Mon, 25 Mar 2013, 1:49 PM
MSA-13-0017: Form manipulation issue in notes 0 Michael de Raadt
Mon, 25 Mar 2013, 1:48 PM
MSA-13-0016: External Entity Injection through Zend library 0 Michael de Raadt
Mon, 25 Mar 2013, 1:48 PM
MSA-13-0015: Cross-site scripting issue in Filepicker 0 Michael de Raadt
Mon, 25 Mar 2013, 1:47 PM
MSA-13-0014: Password revealed in WebDav repository 0 Michael de Raadt
Mon, 25 Mar 2013, 1:47 PM
MSA-13-0013: Server information revealed through exception messages 0 Michael de Raadt
Mon, 25 Mar 2013, 1:46 PM
MSA-13-0012: Information leak in course profiles 0 Michael de Raadt
Mon, 25 Mar 2013, 1:46 PM
MSA-13-0011: Calendar subscription capability issue 0 Michael de Raadt
Mon, 25 Mar 2013, 1:45 PM
MSA-13-0010: Failure to check capabilities in calendar 0 Michael de Raadt
Mon, 21 Jan 2013, 10:05 AM
MSA-13-0009: Information leak through Blog RSS 0 Michael de Raadt
Mon, 21 Jan 2013, 10:04 AM
MSA-13-0008: Information leak through Blog RSS 0 Michael de Raadt
Mon, 21 Jan 2013, 10:03 AM
MSA-13-0007: Potential exploit in messaging 0 Michael de Raadt
Mon, 21 Jan 2013, 9:59 AM
MSA-13-0006: Potential information leak in Assignment module 0 Michael de Raadt
Mon, 21 Jan 2013, 9:57 AM
MSA-13-0005: Potential phishing attack through URL redirects 0 Michael de Raadt
Mon, 21 Jan 2013, 9:56 AM
MSA-13-0004: Information leak through activity report 0 Michael de Raadt
Mon, 21 Jan 2013, 9:54 AM
MSA-13-0003: Potential server file access through backup restoration 0 Michael de Raadt
Mon, 21 Jan 2013, 9:53 AM
MSA-13-0002: Capability issue with Outcome editing 0 Michael de Raadt
Mon, 21 Jan 2013, 9:50 AM
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE 0 Michael de Raadt
Mon, 21 Jan 2013, 9:46 AM
MSA-12-0063: Information leak in Check Permissions page 0 Michael de Raadt
Mon, 19 Nov 2012, 8:29 AM
MSA-12-0062: Information leak in Database activity module 0 Michael de Raadt
Mon, 19 Nov 2012, 8:27 AM
MSA-12-0061: Remote code execution through Portfolio API 0 Michael de Raadt
Mon, 19 Nov 2012, 8:24 AM
MSA-12-0060: Cross-site scripting vulnerability in YUI2 0 Michael de Raadt
Mon, 19 Nov 2012, 8:22 AM
MSA-12-0059: Information leak in Database activity module 0 Michael de Raadt
Mon, 19 Nov 2012, 8:20 AM
MSA-12-0058: Possible form data manipulation issue 0 Michael de Raadt
Mon, 19 Nov 2012, 8:19 AM
MSA-12-0057: Access issue through repository 0 Michael de Raadt
Mon, 19 Nov 2012, 8:17 AM
MSA-12-0056: Information leak in drag-and-drop 0 Michael de Raadt
Mon, 17 Sep 2012, 11:58 AM
MSA-12-0055: Web service access token issue 0 Michael de Raadt
Mon, 17 Sep 2012, 11:57 AM
MSA-12-0054: Course reset permission issue 0 Michael de Raadt
Mon, 17 Sep 2012, 11:56 AM
MSA-12-0053: Blog file access issue 0 Michael de Raadt
Mon, 17 Sep 2012, 11:54 AM
MSA-12-0052: Course topics permission issue 0 Michael de Raadt
Mon, 17 Sep 2012, 11:53 AM
MSA-12-0051: File upload size constraint issue 0 Michael de Raadt
Mon, 17 Sep 2012, 11:51 AM
MSA-12-0050: Potential DOS attack through database activity 0 Michael de Raadt
Tue, 17 Jul 2012, 8:44 AM
MSA-12-0049: Group restricted activity displayed to all users 0 Michael de Raadt
Tue, 17 Jul 2012, 8:44 AM
MSA-12-0048: Possible XSS in cohort administration 0 Michael de Raadt
Tue, 17 Jul 2012, 8:44 AM
MSA-12-0047: SQL injection potential in Feedback module 0 Michael de Raadt
Tue, 17 Jul 2012, 8:44 AM
MSA-12-0046: Insecure protocol redirection in LDAP authentication 0 Michael de Raadt
Tue, 17 Jul 2012, 8:43 AM
MSA-12-0045: Injection potential in admin for repositories 0 Michael de Raadt
Tue, 17 Jul 2012, 8:22 AM
MSA-12-0044: Capability check issue in forum subscriptions 0 Michael de Raadt
Tue, 17 Jul 2012, 8:20 AM
MSA-12-0043: Early information access issue in forum 0 Michael de Raadt
Tue, 17 Jul 2012, 8:18 AM
MSA-12-0042: File access issue in blocks 0 Michael de Raadt
Tue, 17 Jul 2012, 8:18 AM
MSA-12-0041: XSS issue in LTI module 0 Michael de Raadt
Tue, 17 Jul 2012, 8:14 AM
MSA-12-0040: Capabilities issue through caching 0 Michael de Raadt
Tue, 17 Jul 2012, 8:13 AM
MSA-12-0039: File upload validation issue 0 Michael de Raadt
Tue, 17 Jul 2012, 8:11 AM
MSA-12-0038: Calendar event write permission issue 0 Michael de Raadt
Mon, 21 May 2012, 2:55 PM
MSA-12-0037: Write access issue in Database activity module 0 Michael de Raadt
Mon, 21 May 2012, 2:54 PM
MSA-12-0036: Cross-site scripting vulnerability in category identifier 0 Michael de Raadt
Mon, 21 May 2012, 2:52 PM
MSA-12-0035: Cross-site scripting vulnerability in "download all" 0 Michael de Raadt
Mon, 21 May 2012, 2:50 PM
MSA-12-0034: Potential SQL injection issue 0 Michael de Raadt
Mon, 21 May 2012, 2:48 PM
MSA-12-0033: Cross-site scripting vulnerability in Blog 0 Michael de Raadt
Mon, 21 May 2012, 2:47 PM
MSA-12-0032: Cross-site scripting vulnerability in Web services 0 Michael de Raadt
Mon, 21 May 2012, 2:45 PM
MSA-12-0031: Cross-site scripting vulnerability in Wiki 0 Michael de Raadt
Mon, 21 May 2012, 2:43 PM
MSA-12-0030: Capability manipulation issue 0 Michael de Raadt
Mon, 21 May 2012, 2:38 PM
MSA-12-0029: Information editing access issue 0 Michael de Raadt
Mon, 21 May 2012, 2:36 PM
MSA-12-0028: Insecure authentication issue 0 Michael de Raadt
Mon, 21 May 2012, 2:34 PM
MSA-12-0027: Question bank capability issues 0 Michael de Raadt
Mon, 21 May 2012, 2:32 PM
MSA-12-0026: Quiz capability issue 0 Michael de Raadt
Mon, 21 May 2012, 2:30 PM
MSA-12-0025: Personal communication access issue 0 Michael de Raadt
Mon, 21 May 2012, 2:20 PM
MSA-12-0024: Hidden information access issue 0 Michael de Raadt
Mon, 21 May 2012, 2:19 PM
MSA-12-0023: External enrolment plugin context check issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:57 PM
MSA-12-0022: Security conflict in Web services 0 Michael de Raadt
Mon, 19 Mar 2012, 1:56 PM
MSA-12-0021: Course information leak through tags 0 Michael de Raadt
Mon, 19 Mar 2012, 1:54 PM
MSA-12-0020: Forum subscription permission issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:53 PM
MSA-12-0019: Overview report and hidden course issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:51 PM
MSA-12-0018: Course information leak in Gradebook export 0 Michael de Raadt
Mon, 19 Mar 2012, 1:49 PM
MSA-12-0017: Personal information leak issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:47 PM
MSA-12-0016: Default repository capabilities issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:45 PM
MSA-12-0015: Backup and private files issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:42 PM
MSA-12-0014: Password and Web services issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:41 PM
MSA-12-0013: Database activity export permission issue 0 Michael de Raadt
Mon, 19 Mar 2012, 1:33 PM
MSA-12-0012: Form validation issue 0 Michael de Raadt
Tue, 17 Jan 2012, 10:21 AM
MSA-12-0011: Browser autofill password issue 0 Michael de Raadt
Tue, 17 Jan 2012, 10:19 AM
MSA-12-0010: Unauthorised access to session key 0 Michael de Raadt
Tue, 17 Jan 2012, 10:18 AM
MSA-12-0009: Role access issue 0 Michael de Raadt
Tue, 17 Jan 2012, 10:14 AM
MSA-12-0008: Unsynchronised access via tokens 0 Michael de Raadt
Tue, 17 Jan 2012, 10:12 AM
MSA-12-0007: Email injection prevention 0 Michael de Raadt
Tue, 17 Jan 2012, 10:11 AM
MSA-12-0006: Additional email address validation 0 Michael de Raadt
Tue, 17 Jan 2012, 10:09 AM
MSA-12-0005: Encryption enhancement 0 Michael de Raadt
Tue, 17 Jan 2012, 10:07 AM
MSA-12-0004: Added profile image security 0 Michael de Raadt
Tue, 17 Jan 2012, 10:05 AM
MSA-12-0003: Added password protection 0 Michael de Raadt
Tue, 17 Jan 2012, 10:04 AM
MSA-12-0002: Personal information leak 0 Michael de Raadt
Tue, 17 Jan 2012, 10:01 AM
MSA-12-0001: Recaptcha transmission consistency issue 0 Michael de Raadt
Tue, 17 Jan 2012, 9:45 AM
MSA-11-0054: Personal information leak 0 Michael de Raadt
Tue, 6 Dec 2011, 4:24 PM
MSA-11-0053: Security and system administration conflict 0 Michael de Raadt
Tue, 6 Dec 2011, 4:23 PM
MSA-11-0052: Potential to exploit developer debugging scripts 0 Michael de Raadt
Tue, 6 Dec 2011, 4:06 PM
MSA-11-0051: Authentication issue with Web services 0 Michael de Raadt
Tue, 6 Dec 2011, 4:04 PM
MSA-11-0050: Backup capability issue 0 Michael de Raadt
Tue, 6 Dec 2011, 4:01 PM
MSA-11-0049: Network restriction ineffective with MNet 0 Michael de Raadt
Tue, 6 Dec 2011, 3:59 PM
MSA-11-0048: Password loss issue 0 Michael de Raadt
Tue, 6 Dec 2011, 3:59 PM
MSA-11-0047: Possible injection attack in Calendar 0 Michael de Raadt
Tue, 6 Dec 2011, 3:59 PM
MSA-11-0046: Insecure authentication transmission 0 Michael de Raadt
Tue, 6 Dec 2011, 3:58 PM
MSA-11-0045: Potential to masquerade through MNet 0 Michael de Raadt
Tue, 6 Dec 2011, 3:58 PM
MSA-11-0044: Expired identification information shown in Web services 0 Michael de Raadt
Tue, 6 Dec 2011, 3:57 PM
MSA-11-0043: Possible link redirect in Calendar 0 Michael de Raadt
Tue, 6 Dec 2011, 3:57 PM
MSA-11-0042: Information leak in Wiki 0 Michael de Raadt
Tue, 6 Dec 2011, 3:57 PM
MSA-11-0040: Potential personal information leak 0 Michael de Raadt
Mon, 31 Oct 2011, 3:29 PM
MSA-11-0038: Database injection protection strengthened 0 Michael de Raadt
Thu, 27 Oct 2011, 11:38 PM
MSA-11-0041: Global search authentication issue 0 Michael de Raadt
Tue, 18 Oct 2011, 12:24 PM
MSA-11-0039: Wiki section vulnerability 0 Michael de Raadt
Tue, 18 Oct 2011, 12:21 PM
MSA-11-0037: Course section editing injection vulnerability 0 Michael de Raadt
Tue, 18 Oct 2011, 12:17 PM
MSA-11-0036: Messaging refresh vulnerability 0 Michael de Raadt
Tue, 18 Oct 2011, 12:15 PM
MSA-11-0035: Cookie-less session vulnerability 0 Michael de Raadt
Tue, 18 Oct 2011, 12:13 PM
MSA-11-0034: Chat module information leak 0 Michael de Raadt
Tue, 18 Oct 2011, 12:11 PM
MSA-11-0033: Site-hub registration identity issue 0 Michael de Raadt
Tue, 18 Oct 2011, 12:09 PM
MSA-11-0032: MNET SSL validation issue 0 Michael de Raadt
Tue, 18 Oct 2011, 12:07 PM
MSA-11-0031: Forms API constant issue 0 Michael de Raadt
Tue, 18 Oct 2011, 12:06 PM
MSA-11-0030: Box.net repository integration authentication issue 0 Michael de Raadt
Tue, 18 Oct 2011, 12:03 PM
MSA-11-0029: File visibility issue 0 Michael de Raadt
Tue, 18 Oct 2011, 11:59 AM
MSA-11-0028: Wiki comments cross site scripting issue 0 Michael de Raadt
Tue, 18 Oct 2011, 11:56 AM
MSA-11-0027: Wiki pages reference forgery issue 0 Michael de Raadt
Tue, 18 Oct 2011, 11:55 AM
MSA-11-0026: Fields in user upload CSV not being escaped 0 Michael de Raadt
Tue, 18 Oct 2011, 11:52 AM
MSA-11-0025: Group names in user upload CSV not being escaped 0 Michael de Raadt
Mon, 8 Aug 2011, 5:02 PM
MSA-11-0024: Recaptcha images were being authenticated from an older server 0 Michael de Raadt
Mon, 8 Aug 2011, 5:02 PM
MSA-11-0023: Guests can add comments to front page activities 0 Michael de Raadt
Mon, 8 Aug 2011, 5:01 PM
MSA-11-0022: Course creators could change filters at course level 0 Michael de Raadt
Mon, 8 Aug 2011, 5:00 PM
MSA-11-0021: Role assignment web service function not following restrictions 0 Michael de Raadt
Mon, 8 Aug 2011, 4:59 PM
MSA-11-0020: Continue links in error messages can lead offsite 0 Michael de Raadt
Mon, 8 Aug 2011, 4:59 PM
MSA-11-0019: Themes writing to files outside Moodle data directory 0 Michael de Raadt
Mon, 8 Aug 2011, 4:59 PM
MSA-11-0018: Lacking capability controls over cohorts 0 Michael de Raadt
Mon, 8 Aug 2011, 4:58 PM
MSA-11-0017: Ability to generate invalid records in the comments table in the database 0 Helen Foster
Wed, 18 May 2011, 4:09 PM
MSA-11-0016: Ability to fill a database with invalid records through ratings 0 Helen Foster
Wed, 18 May 2011, 4:05 PM
MSA-11-0015: Cross Site Scripting through URL encoding 0 Helen Foster
Wed, 18 May 2011, 4:01 PM
MSA-11-0014: Personal details displayed without permission 0 Helen Foster
Wed, 18 May 2011, 3:57 PM
MSA-11-0013: Group/Quiz permissions issue 0 Helen Foster
Wed, 18 May 2011, 3:52 PM
MSA-11-0012: Authentication issue 0 Helen Foster
Wed, 18 May 2011, 3:44 PM
MSA-11-0011: Multiple cross-site scripting problems in media filter 0 Helen Foster
Tue, 1 Mar 2011, 11:12 PM
MSA-11-0010: Incorrect default for mod:course/delete capability in teacher role 0 Helen Foster
Tue, 1 Mar 2011, 11:10 PM
MSA-11-0009: My profile block may disclose private information if used in user context 0 Helen Foster
Tue, 1 Mar 2011, 10:57 PM
MSA-11-0008: IMS enterprise enrolment file may disclose sensitive information 0 Helen Foster
Tue, 1 Mar 2011, 10:54 PM
MSA-11-0007: Cross-site scripting vulnerability in course tags 0 Helen Foster
Tue, 1 Mar 2011, 10:51 PM
MSA-11-0006: Cross-site request forgery and missing access control in course completion 0 Helen Foster
Tue, 1 Mar 2011, 10:35 PM
MSA-11-0005: Cross-site scripting vulnerability in spikephpcoverage 0 Helen Foster
Tue, 1 Mar 2011, 10:31 PM
MSA-11-0004: $CFG->forceloginforprofiles setting ignored in course profiles 0 Helen Foster
Tue, 1 Mar 2011, 10:31 PM
MSA-11-0003: Cross-site scripting vulnerability in tag autocomplete 0 Helen Foster
Tue, 1 Mar 2011, 10:31 PM
MSA-11-0002: Cross-site request forgery vulnerability in RSS block 0 Helen Foster
Tue, 1 Mar 2011, 10:29 PM
MSA-11-0001: Customised phpMyAdmin upgraded to 2.11.11.3 and 3.3.9.2 0 Petr Skoda
Mon, 21 Feb 2011, 5:01 PM
MSA-10-0018: Customised phpMyAdmin upgraded to 2.11.11.1 and 3.3.8.1 0 Petr Skoda
Sat, 18 Dec 2010, 5:01 AM
MSA-10-0017: XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 0 Petr Skoda
Tue, 26 Oct 2010, 4:30 AM
MSA-10-0016: Multiple phpCAS library vulnerabilities 0 Helen Foster
Mon, 25 Oct 2010, 7:27 PM
MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0 0 Helen Foster
Mon, 25 Oct 2010, 7:25 PM
MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11 0 Petr Skoda
Sun, 24 Oct 2010, 7:19 PM
MSA-10-0013: Potential Cross Site Request Forgery vulnerability in Quiz reports 0 Helen Foster
Thu, 17 Jun 2010, 11:39 PM
MSA-10-0012: KSES Security Filter Bypassing vulnerability 0 Helen Foster
Thu, 17 Jun 2010, 11:36 PM
MSA-10-0011: Cross Site Scripting vulnerability in blog/index.php 0 Helen Foster
Thu, 17 Jun 2010, 11:34 PM
MSA-10-0010: Persistent Cross Site Scripting vulnerability in the MNET access control interface 0 Helen Foster
Thu, 17 Jun 2010, 11:28 PM
MSA-10-0009: Session fixation prevention now turned on by default 0 Petr Skoda
Wed, 31 Mar 2010, 9:29 PM
MSA-10-0008: Persistent XSS when using Login-as feature 0 Petr Skoda
Wed, 31 Mar 2010, 8:51 PM
MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine 0 Petr Skoda
Wed, 31 Mar 2010, 8:47 PM
MSA-10-0006: SQL injection in Wiki module 0 Petr Skoda
Wed, 31 Mar 2010, 8:45 PM
MSA-10-0005: Incorrect validation of forms data 0 Petr Skoda
Wed, 31 Mar 2010, 8:42 PM
MSA-10-0004: Improved access control in course restore 0 Petr Skoda
Wed, 31 Mar 2010, 8:41 PM
MSA-10-0003: Disclosure of full user names 0 Petr Skoda
Wed, 31 Mar 2010, 8:41 PM
MSA-10-0002: XSS vulnerabilty in the phpcas module 0 Petr Skoda
Wed, 31 Mar 2010, 8:33 PM
MSA-10-0001: Vulnerability in KSES text cleaning 0 Petr Skoda
Wed, 31 Mar 2010, 8:31 PM
MSA-09-0030: New detection of insecure flash player plugins 0 Helen Foster
Wed, 2 Dec 2009, 5:36 AM
MSA-09-0031: SQL injection in SCORM module 0 Helen Foster
Wed, 2 Dec 2009, 5:01 AM
MSA-09-0029: Multiple password related issues 0 Helen Foster
Wed, 2 Dec 2009, 3:44 AM
MSA-09-0028: Multiple backup/restore related issues 0 Helen Foster
Wed, 2 Dec 2009, 3:39 AM
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins 0 Helen Foster
Wed, 2 Dec 2009, 3:32 AM
MSA-09-0026: Invalid application access control in MNET interface 0 Helen Foster
Wed, 2 Dec 2009, 3:28 AM
MSA-09-0025: Unneeded MD5 hashes removed from user table 0 Helen Foster
Wed, 2 Dec 2009, 3:22 AM
MSA-09-0024: Insufficient access control in glossary 0 Helen Foster
Wed, 2 Dec 2009, 3:18 AM
MSA-09-0023: User account disclosure in LAMS module 0 Helen Foster
Wed, 2 Dec 2009, 3:15 AM
MSA-09-0022: Multiple CSRF problems fixed 0 Helen Foster
Wed, 2 Dec 2009, 3:11 AM
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability 0 Petr Skoda
Tue, 3 Nov 2009, 4:09 AM
MSA-09-0020: Teachers can view students' grades in all courses in the overview report 0 Petr Skoda
Tue, 3 Nov 2009, 3:52 AM
MSA-09-0019: SQL injection in update_record 0 Petr Skoda
Tue, 3 Nov 2009, 3:50 AM
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type 0 Petr Skoda
Tue, 3 Nov 2009, 3:46 AM
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly 0 Petr Skoda
Tue, 3 Nov 2009, 3:43 AM
MSA-09-0016: Email not properly escaped on user edit page 0 Petr Skoda
Tue, 3 Nov 2009, 3:41 AM
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6 0 Petr Skoda
Thu, 15 Oct 2009, 2:12 AM
MSA-09-0014: mimeTeX vulnerabilities 0 Petr Skoda
Tue, 21 Jul 2009, 5:00 PM
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5 0 Petr Skoda
Wed, 20 May 2009, 10:28 PM
MSA-09-0012: SQL injections when importing outcomes 0 Petr Skoda
Wed, 20 May 2009, 7:01 PM
MSA-09-0011: Glossary, database and forum ratings are not verified after submission 0 Petr Skoda
Wed, 20 May 2009, 7:01 PM
MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers 0 Petr Skoda
Wed, 20 May 2009, 6:58 PM
MSA-09-0009: TeX filter file disclosure 0 Petr Skoda
Mon, 13 Apr 2009, 10:46 PM
Prevent profile spam on your Moodle site 0 Martin Dougiamas
Tue, 10 Feb 2009, 1:32 PM
MSA-09-0008: CSRF vulnerability in forum code 0 Petr Skoda
Wed, 4 Feb 2009, 6:14 PM
MSA-09-0007: Missing input validation in logs allows potential XSS attacks 0 Petr Skoda
Wed, 4 Feb 2009, 6:12 PM
MSA-09-0006: Calendar export may allow brute force attacks 0 Petr Skoda
Wed, 4 Feb 2009, 6:08 PM
MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability 0 Petr Skoda
Wed, 4 Feb 2009, 6:08 PM
MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used 0 Petr Skoda
Wed, 4 Feb 2009, 6:08 PM
MSA-09-0003: Vulnerability in Snoopy 1.2.3 0 Petr Skoda
Wed, 4 Feb 2009, 6:07 PM
MSA-09-0002: User pix disclosure 0 Petr Skoda
Wed, 4 Feb 2009, 5:52 PM
MSA-09-0001: No way easy to remove pictures of deleted users 0 Petr Skoda
Wed, 4 Feb 2009, 5:49 PM
MSA-08-0002: register_globals=on not supported 1 Petr Skoda
Tue, 30 Dec 2008, 6:55 AM
MSA-08-0028: customised PhpMyAdmin package upgraded to 2.11.9.4 0 Petr Skoda
Wed, 10 Dec 2008, 9:00 AM
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3 0 Petr Skoda
Mon, 3 Nov 2008, 7:30 AM
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5 0 Petr Skoda
Mon, 20 Oct 2008, 4:53 AM
MSA-08-0025: SQL injection in tags code 0 Petr Skoda
Mon, 20 Oct 2008, 4:52 AM
MSA-08-0024: Overriding of frozen values in Moodle forms 0 Petr Skoda
Mon, 20 Oct 2008, 4:50 AM
MSA-08-0023: CSRF in messaging setting 0 Petr Skoda
Mon, 20 Oct 2008, 4:48 AM
MSA-08-0022: XSS through Wiki page titles 0 Petr Skoda
Mon, 20 Oct 2008, 4:46 AM
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS 0 Petr Skoda
Mon, 20 Oct 2008, 4:43 AM
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files 0 Petr Skoda
Mon, 20 Oct 2008, 4:40 AM
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2 0 Petr Skoda
Mon, 20 Oct 2008, 4:37 AM
MSA-08-0008: KSES related issues 0 Petr Skoda
Tue, 23 Sep 2008, 3:22 AM
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1 0 Petr Skoda
Tue, 29 Jul 2008, 8:19 PM
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page 0 Petr Skoda
Wed, 23 Jul 2008, 12:04 AM
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1 0 Petr Skoda
Wed, 16 Jul 2008, 3:26 PM
MSA-08-0016: Email could be changed in profile without confirmation 0 Petr Skoda
Wed, 16 Jul 2008, 2:52 PM
MSA-08-0015: accessible profiles of deleted users 0 Petr Skoda
Wed, 16 Jul 2008, 2:51 PM
MSA-08-0014: potential sql injection in events handling code 0 Petr Skoda
Wed, 16 Jul 2008, 2:49 PM
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only) 0 Petr Skoda
Wed, 16 Jul 2008, 2:48 PM
MSA-08-0011: Potential webroot disclosures warning 0 Petr Skoda
Wed, 16 Jul 2008, 2:47 PM
MSA-08-0010: sql injection in HotPot module 0 Petr Skoda
Wed, 16 Jul 2008, 2:46 PM
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter 0 Petr Skoda
Wed, 16 Jul 2008, 2:45 PM
MSA-08-0007: imported phpMyAdmin 2.11.5.1 0 Petr Skoda
Mon, 31 Mar 2008, 3:17 PM
MSA-08-0006: Moodle cookie path can not be restricted 0 Petr Skoda
Sat, 19 Jan 2008, 1:58 AM
MSA-08-0005: Bypassing restriction on multiple file uploads 0 Petr Skoda
Sat, 19 Jan 2008, 1:33 AM
MSA-08-0001: Access elevation in user edit form 0 Petr Skoda
Thu, 17 Jan 2008, 9:49 PM
MSA-08-0003: Insufficient access control in Login as feature 0 Petr Skoda
Thu, 17 Jan 2008, 9:49 PM
MSA-08-0004: XSS in install.php before installation 0 Petr Skoda
Thu, 17 Jan 2008, 9:49 PM