CVE-2023-28330

MEDIUM

Moodle < 3.9.20 - Improper Input Validation

Title source: rule

Description

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

Exploits (1)

nomisec

by cli-ish · poc

https://github.com/cli-ish/CVE-2023-28330

View on nomisec

References (3)

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2179412

[Patch, Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=445062

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/

Scores

CVSS v3 6.5

EPSS 0.0108

EPSS Percentile 77.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-20

Status published

Products (7)

moodle/moodle 3.9.0

moodle/moodle 3.11.0

moodle/moodle 4.0.0

moodle/moodle 4.1.0

moodle/moodle 4.1.1

moodle/moodle 3.9.0 - 3.9.20

moodle/moodle 4.1.0 - 4.1.2Packagist

Published Mar 23, 2023

Tracked Since Feb 18, 2026