CVE-2012-6099
Moodle 2.1-2.1.10 2.2-2.2.7 2.3-2.3.4 2.4-2.4.1 - Authenticated Arbitrary File Read via Backup Converter
Title source: llmDescription
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.
References (3)
Core 3
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=220160
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2013/01/21/1
Scores
EPSS
0.0020
EPSS Percentile
41.7%
Details
CWE
CWE-20
Status
published
Products (23)
moodle/moodle
2.1.0
moodle/moodle
2.1.1
moodle/moodle
2.1.2
moodle/moodle
2.1.3
moodle/moodle
2.1.4
moodle/moodle
2.1.5
moodle/moodle
2.1.6
moodle/moodle
2.1.7
moodle/moodle
2.1.8
moodle/moodle
2.1.9
... and 13 more
Published
Jan 27, 2013
Tracked Since
Feb 18, 2026