| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-3617 |
264 |
|
Bypass |
2014-09-15 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. |
|
2 |
CVE-2014-2571 |
79 |
|
XSS |
2014-03-24 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question. |
|
3 |
CVE-2014-0218 |
79 |
|
XSS |
2014-05-27 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
4 |
CVE-2014-0216 |
264 |
|
+Info |
2014-05-27 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
|
5 |
CVE-2014-0215 |
200 |
|
+Info |
2014-05-27 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source. |
|
6 |
CVE-2014-0214 |
287 |
|
|
2014-05-27 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack. |
|
7 |
CVE-2014-0213 |
352 |
|
CSRF |
2014-05-27 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in mod/assign/locallib.php in the Assignment subsystem in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allow remote attackers to hijack the authentication of teachers for quick-grading requests. |
|
8 |
CVE-2014-0129 |
264 |
|
|
2014-03-24 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issued, which allows remote authenticated users to modify the visibility of an arbitrary badge via unspecified vectors. |
|
9 |
CVE-2014-0127 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time. |
|
10 |
CVE-2014-0126 |
352 |
|
CSRF |
2014-03-24 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file. |
|
11 |
CVE-2014-0125 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. |
|
12 |
CVE-2014-0124 |
264 |
|
+Info |
2014-03-24 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module. |
|
13 |
CVE-2014-0123 |
264 |
|
|
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1) view and (2) edit access, which allows remote authenticated users to perform wiki operations by leveraging the student role and using the Recent Activity block to reach the individual wiki of an arbitrary student. |
|
14 |
CVE-2014-0122 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
|
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator. |
|
15 |
CVE-2014-0010 |
352 |
|
CSRF |
2014-01-20 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields. |
|
16 |
CVE-2014-0009 |
264 |
|
|
2014-01-20 |
2020-12-01 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. |
|
17 |
CVE-2013-7341 |
79 |
|
XSS |
2014-03-24 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342. |
|
18 |
CVE-2013-4525 |
79 |
|
XSS |
2013-11-26 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via an answer to a text-based quiz question. |
|
19 |
CVE-2013-4524 |
22 |
|
Dir. Trav. |
2013-11-26 |
2020-12-01 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path. |
|
20 |
CVE-2013-4523 |
79 |
|
XSS |
2013-11-26 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted message. |
|
21 |
CVE-2013-4522 |
200 |
|
+Info |
2013-11-26 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy server. |
|
22 |
CVE-2013-3630 |
94 |
|
|
2013-11-01 |
2021-10-12 |
4.6 |
None |
Remote |
High |
??? |
Partial |
Partial |
Partial |
|
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. |
|
23 |
CVE-2013-1836 |
264 |
|
|
2013-03-25 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. |
|
24 |
CVE-2013-1835 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. |
|
25 |
CVE-2013-1834 |
264 |
|
|
2013-03-25 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. |
|
26 |
CVE-2013-1833 |
79 |
|
XSS |
2013-03-25 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
|
27 |
CVE-2013-1832 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. |
|
28 |
CVE-2013-1831 |
200 |
|
+Info |
2013-03-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. |
|
29 |
CVE-2013-1830 |
264 |
|
+Info |
2013-03-25 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. |
|
30 |
CVE-2012-3398 |
|
|
DoS |
2012-07-23 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Algorithmic complexity vulnerability in Moodle 1.9.x before 1.9.19, 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to cause a denial of service (CPU consumption) by using the advanced-search feature on a database activity that has many records. |
|
31 |
CVE-2012-3397 |
264 |
|
Bypass |
2012-07-23 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. |
|
32 |
CVE-2012-3396 |
79 |
|
XSS |
2012-07-23 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. |
|
33 |
CVE-2012-3395 |
89 |
|
Exec Code Sql |
2012-07-23 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. |
|
34 |
CVE-2012-2367 |
264 |
|
Bypass |
2012-07-21 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/calendar:manageownentries capability requirement and add a calendar entry via a New Entry action. |
|
35 |
CVE-2012-2365 |
79 |
|
XSS |
2012-07-21 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the idnumber field to cohort/edit.php. |
|
36 |
CVE-2012-2364 |
79 |
|
XSS |
2012-07-21 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. |
|
37 |
CVE-2012-2361 |
79 |
|
XSS |
2012-07-21 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php in the web services implementation in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the name field (aka the service name) to admin/webservice/service.php. |
|
38 |
CVE-2012-2360 |
79 |
|
XSS |
2012-07-21 |
2020-12-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted string that is inserted into a page title. |
|
39 |
CVE-2012-2359 |
264 |
|
+Priv |
2012-07-21 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to gain privileges by leveraging the teacher role and modifying their own capabilities, as demonstrated by obtaining the backup:userinfo capability. |
|
40 |
CVE-2012-2358 |
264 |
|
Bypass |
2012-07-21 |
2020-12-01 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
|
Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist. |
|
41 |
CVE-2012-0800 |
200 |
|
+Info |
2012-07-17 |
2020-12-01 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device. |
|
42 |
CVE-2012-0799 |
200 |
|
+Info |
2012-07-17 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Moodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page. |
|
43 |
CVE-2012-0796 |
94 |
|
|
2012-07-17 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
class.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header. |
|
44 |
CVE-2012-0795 |
20 |
|
|
2012-07-17 |
2020-12-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 does not validate e-mail address settings, which allows remote authenticated users to have an unspecified impact via a crafted address. |
|
45 |
CVE-2012-0794 |
255 |
|
|
2012-07-17 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution. |
|
46 |
CVE-2012-0793 |
264 |
|
|
2012-07-17 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote attackers to view the profile images of arbitrary user accounts via unspecified vectors. |
|
47 |
CVE-2011-4593 |
200 |
|
+Info |
2012-07-20 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle user/action_redir group messages, which allows remote authenticated users to discover e-mail addresses by visiting the messaging interface. |
|
48 |
CVE-2011-4592 |
264 |
|
Bypass |
2012-07-20 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The command-line cron implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly interact with IP blocking, which might allow remote attackers to bypass intended IP address restrictions by leveraging a configuration in which IP blocking was disabled to restore cron functionality. |
|
49 |
CVE-2011-4591 |
79 |
|
XSS |
2012-07-20 |
2020-12-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the print_object function in lib/datalib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3, when a developer debugging script is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors involving object states. |
|
50 |
CVE-2011-4590 |
287 |
|
Bypass |
2012-07-20 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The web services implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly consider the maintenance-mode state and account attributes during login attempts, which allows remote authenticated users to bypass intended access restrictions by connecting to a webservice server. |
