CVE-2024-34002 moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

2024-05-3120:15:25

CWE-200

fedora

www.cve.org

cve-2024-34002

moodle

lfi risk

misconfigured shared hosting

mod_feedback backup

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

In a shared hosting environment that has been misconfigured to allow access to other users’ content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

CNA Affected

[
  {
    "collectionURL": "https://git.moodle.org",
    "packageName": "Moodle",
    "versions": [
      {
        "status": "affected",
        "version": "4.0",
        "lessThanOrEqual": "4.3.3",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.2",
        "lessThanOrEqual": "4.2.6",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.1",
        "lessThanOrEqual": "4.1.9",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]