SB2026062340 - Multiple vulnerabilities in Moodle
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in MNet peers function. A remote administrator can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
2) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to missing group access checks in some grade web services. A remote user can access grade and user information for students in groups they did not have permission to view.
3) Code Injection (CVE-ID: N/A)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within admin presets import. A remote administrator can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the backup restore functionality. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to a flaw in email-based multi-factor authentication. A remote user can bypass another user's MFA token check if using the email factor.
6) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the Database Activity module's import feature. A remote attacker can gain unauthorized access to sensitive information on the system.
7) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in grade item idnumber editing. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
8) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within Feedback import error message. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in user profile page reset. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
10) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in user homepage preference setting. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
11) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to insecure direct object reference (IDOR) issue. A remote user can delete arbitrary comments.
12) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to insufficient capability checks in the Assignment module's marker allocation functionality. A remote use can allocate markers to submissions.
13) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in quiz attempt regrading. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
14) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to missing capability checks in AI placement web services. A remote user can make requests to those AI course assistance web services without having the relevant capabilities
15) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin when adding quiz section headings. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
16) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in group messaging state toggle. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
17) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to missing capability checks in report builder fragment callbacks. A remote user can retrieve report data beyond their permitted access.
18) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the user profile description. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://moodle.org/mod/forum/discuss.php?d=481829
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-87911&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481814
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88667&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481813
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88735&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481812
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88736&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481811
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88767&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481810
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88595&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481821
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88542&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481820
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88543&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481819
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88545&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481818
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88609&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481817
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88619&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481827
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88529&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481826
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88531&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481825
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88533&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481824
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88540&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481823
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-88541&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481831
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-84535&type=commits
- https://moodle.org/mod/forum/discuss.php?d=481830
- https://github.com/search?q=repo%3Amoodle%2Fmoodle+MDL-87898&type=commits