GoogleOSV:GHSA-22GJ-8QJ2-FJ46Moodle External Control of File Name or Path vulnerability
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
0.016 Low
EPSS
Percentile
87.6%
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
References
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
bugzilla.redhat.com/show_bug.cgi?id=2188605
github.com/moodle/moodle
github.com/moodle/moodle/commit/59d42e1ed23f916dcb47d53c745bef18a116d800
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS
lists.fedoraproject.org/archives/list/[email protected]/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I
lists.fedoraproject.org/archives/list/[email protected]/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY
lists.fedoraproject.org/archives/list/[email protected]/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS
moodle.org/mod/forum/discuss.php?d=446285
nvd.nist.gov/vuln/detail/CVE-2023-30943
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
0.016 Low
EPSS
Percentile
87.6%