Lucene search

GitHub Advisory DatabaseGHSA-27J2-C838-C3QG

HistoryMay 13, 2022 - 1:12 a.m.

Moodle Arbitrary File Read via XML External Entity vulnerability

2022-05-1301:12:40

CWE-611

GitHub Advisory Database

github.com

moodle

locallib.php

vulnerability

remote file read

xml external entity

imscp resources

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.003

Percentile

70.3%

JSON

mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.

Affected configurations

Vulners

Node

moodlemoodleRange≤2.4.10

moodlemoodleRange≤2.5.6

moodlemoodleRange≤2.6.3

moodlemoodleMatch2.7.0

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
moodlemoodle2.7.0cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::
moodle	moodle	2.7.0	cpe:2.3:a:moodle:moodle:2.7.0:::::::*

References

openwall.com/lists/oss-security/2014/07/21/1

git.moodle.org/gw?p=moodle.git;a=commit;h=595ef4772d330a20c757635ab090acdcc9b2a2fa

github.com/advisories/GHSA-27j2-c838-c3qg

github.com/moodle/moodle/commit/595ef4772d330a20c757635ab090acdcc9b2a2fa

moodle.org/mod/forum/discuss.php?d=264264

nvd.nist.gov/vuln/detail/CVE-2014-3543

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.003

Percentile

70.3%

JSON

Related for GHSA-27J2-C838-C3QG