Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Predominantly, vulnerabilities from the above libraries rely upon unsanitised user input being supplied to various library methods. Any such input will have been sanitised by the server. As described in Support for third-party libraries above, we will also backport fixes where appropriate to provide a further layer of security.

Support for upstream security fixes from Moodle

Parts of the Totara codebase are based on Moodle 3.4.9, which was released in 2019. No new functionality has been forked from Moodle since then. The code is a core part of Totara under active development, not a dependency.

Totara follows a rigorous set of secure development practices that include watching for new vulnerabilities in Moodle and immediately ensuring that Totara’s code is not vulnerable. Additionally, every Totara release is subject to a thorough security review and penetration test.

If you have questions about a specific CVE or Moodle issue, we are happy to clarify whether it needed to be fixed in Totara, and if so, how it was addressed.


How are security measures tested?