CVE-2023-30943

MEDIUM NUCLEI

Moodle 4.1.0-4.1.2 - Unauthenticated Arbitrary Folder Creation via TinyMCE Loader

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-30943. PoCs published by d0rb, Chocapikk, RubyCat1337. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates two Moodle vulnerabilities: unauthenticated arbitrary folder creation leading to stored XSS and self-XSS leading to account takeover. The exploit combines these techniques to showcase potential RCE and privilege escalation paths.

Description

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Exploits (3)

nomisec WORKING POC 18 stars
by d0rb · poc
https://github.com/d0rb/CVE-2023-30943

This PoC demonstrates two Moodle vulnerabilities: unauthenticated arbitrary folder creation leading to stored XSS and self-XSS leading to account takeover. The exploit combines these techniques to showcase potential RCE and privilege escalation paths.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Moodle versions 4.1.x before 4.1.3, 4.2.x before 4.2.0, and others
No auth needed
Prerequisites: Vulnerable Moodle instance · Ability to send crafted requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 12 stars
by Chocapikk · poc
https://github.com/Chocapikk/CVE-2023-30943

This repository contains a Python-based scanner for detecting CVE-2023-30943, a vulnerability in Moodle that allows arbitrary folder creation via crafted HTTP requests to the TinyMCE loader. The tool supports single URL checks, bulk scanning from files, and integration with Leakix for fetching potential targets.

Classification
Scanner 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Moodle (versions affected by CVE-2023-30943)
No auth needed
Prerequisites: Python 3.10 · requests library · rich library · alive_progress library · Leakix API key (optional for Leakix integration)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by RubyCat1337 · poc
https://github.com/RubyCat1337/CVE-2023-30943

This PoC demonstrates a combination of unauthenticated arbitrary folder creation leading to stored XSS and a self-XSS leading to account takeover in Moodle. The exploit leverages directory traversal and XSS payloads to achieve remote code execution and session hijacking.

Classification
Working Poc 80%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Moodle
No auth needed
Prerequisites: Access to a vulnerable Moodle instance · Ability to craft malicious requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Moodle - Cross-Site Scripting/Remote Code Execution
MEDIUMby ritikchaddha
Shodan: title:"Moodle" || cpe:"cpe:2.3:a:moodle:moodle" || http.title:"moodle"
FOFA: title="moodle"

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2188605

Scores

CVSS v3 6.5
EPSS 0.2651
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-610 CWE-73
Status published
Products (6)
fedoraproject/extra_packages_for_enterprise_linux 7.0
fedoraproject/fedora 36
fedoraproject/fedora 37
fedoraproject/fedora 38
moodle/moodle 0 - 4.2.0-rc2Packagist
moodle/moodle 4.1.0 - 4.1.3
Published May 02, 2023
Tracked Since Feb 18, 2026