Lucene search

GitHub Advisory DatabaseGHSA-XMWV-MQH8-4XGW

HistoryMay 13, 2022 - 1:12 a.m.

Moodle allows remote attackers to read arbitrary files

2022-05-1301:12:40

CWE-200

GitHub Advisory Database

github.com

moodle

remote attackers

arbitrary files

xml external entity

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.003

Percentile

70.3%

JSON

mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected configurations

Vulners

Node

moodlemoodleMatch2.7.0

moodlemoodleRange<2.6.4

moodlemoodleRange<2.5.7

moodlemoodleRange<2.4.11

moodlemoodleRange≤2.3.11

VendorProductVersionCPE
moodlemoodle2.7.0cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	2.7.0	cpe:2.3:a:moodle:moodle:2.7.0:::::::*
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463

openwall.com/lists/oss-security/2014/07/21/1

github.com/advisories/GHSA-xmwv-mqh8-4xgw

github.com/moodle/moodle/commit/78ed99ec7e5e75b283e844adb058140d6ba0ff14

moodle.org/mod/forum/discuss.php?d=264263

nvd.nist.gov/vuln/detail/CVE-2014-3542

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.003

Percentile

70.3%

JSON

Related for GHSA-XMWV-MQH8-4XGW