Total vulnerabilities in the database
The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.
| Software | From | Fixed in |
|---|---|---|
| moodle / moodle | 2.0.2 | 2.0.2.x |
| moodle / moodle | 1.9.4 | 1.9.4.x |
| moodle / moodle | 1.9.1 | 1.9.1.x |
| moodle / moodle | 1.9.6 | 1.9.6.x |
| moodle / moodle | 1.9.9 | 1.9.9.x |
| moodle / moodle | 2.0.1 | 2.0.1.x |
| moodle / moodle | 1.9.11 | 1.9.11.x |
| moodle / moodle | 1.9.2 | 1.9.2.x |
| moodle / moodle | 1.9.12 | 1.9.12.x |
| moodle / moodle | 1.9.10 | 1.9.10.x |
| moodle / moodle | 2.0.3 | 2.0.3.x |
| moodle / moodle | 1.9.3 | 1.9.3.x |
| moodle / moodle | 1.9.5 | 1.9.5.x |
| moodle / moodle | 1.9.8 | 1.9.8.x |
| moodle / moodle | 1.9.7 | 1.9.7.x |
| moodle / moodle | 2.0.0 | 2.0.0.x |
| moodle / moodle | 2.1.0 | 2.1.0.x |