A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

According to its self-reported version, the Moodle install hosted on the remote host is prior to 3.9.24 / 3.11.x prior to 3.11.17 / 4.0.x prior to 4.0.11 / 4.1.x prior to 4.1.6 / 4.2.x prior to 4.2.3. It is, therefore, affected by multiple vulnerabilities:

- Forum summary report shows students from other groups when in Separate Groups mode

- RCE due to LFI risk in some misconfigured shared hosting environments

- Insufficient capability checks when updating the parent of a course category

- Make file serving endpoints revision control stricter

- XSS risk when previewing data in course upload tool

- Auto-populated H5P author name causes a potential information leak

- Stored XSS and potential IDOR risk in Wiki comments

- Students could see other students in "Only see own membership" groups

- XSS risk when using CSV grade import method

- Authenticated remote code execution risk in IMSCP

- Authenticated remote code execution risk in Lesson

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6bd1586dc5 advisory.

    Latest updates



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6880309d0e advisory.

    Latest updates

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a7b0d27d18 advisory.

    Latest updates

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114740	Moodle 4.2.x < 4.2.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114739	Moodle 4.1.x < 4.1.6 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114738	Moodle 4.0.x < 4.0.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114737	Moodle 3.11.x < 3.11.17 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114736	Moodle < 3.9.24 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
185223	Fedora 39 : moodle (2023-6bd1586dc5)	Nessus	Fedora Local Security Checks	critical
183345	Fedora 38 : moodle (2023-6880309d0e)	Nessus	Fedora Local Security Checks	critical
183344	Fedora 37 : moodle (2023-a7b0d27d18)	Nessus	Fedora Local Security Checks	critical

Detections

Analytics

CVE-2023-5539

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical