Description
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=260364
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/05/19/1
Scores
EPSS
0.0028
EPSS Percentile
51.7%
Details
CWE
CWE-264
Status
published
Products (50)
moodle/moodle
2.0.0
moodle/moodle
2.0.1
moodle/moodle
2.0.2
moodle/moodle
2.0.3
moodle/moodle
2.0.4
moodle/moodle
2.0.5
moodle/moodle
2.0.6
moodle/moodle
2.0.7
moodle/moodle
2.0.8
moodle/moodle
2.0.9
... and 40 more
Published
May 27, 2014
Tracked Since
Feb 18, 2026