Daniel Thatcher

2 exploits Active since Nov 2018
CVE-2019-3847 NOMISEC MEDIUM WORKING POC
Moodle < 3.1.17 - XSS
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.
7 stars
CVSS 4.8
CVE-2018-16854 NOMISEC MEDIUM WORKING POC
Moodle <3.6 - CSRF
A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.
7 stars
CVSS 6.5