CVE-2016-7038

In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.

Source: CVE-2016-7038

CVE-2016-5014

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

Source: CVE-2016-5014

CVE-2016-5012

In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

Source: CVE-2016-5012

CVE-2016-8642

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

Source: CVE-2016-8642

CVE-2017-2576

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

Source: CVE-2017-2576

CVE-2016-10143

A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field.

Source: CVE-2016-10143

CVE-2016-8643

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

Source: CVE-2016-8643

CVE-2017-5541

Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters.

Source: CVE-2017-5541

CVE-2017-2578

In Moodle 3.x, there is XSS in the assignment submission page.

Source: CVE-2017-2578

CVE-2016-8644

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

Source: CVE-2016-8644