CVE-2023-5550

MEDIUM

moodle <3.9.24 and >=4.3.0-beta <4.3.0-rc2 - Remote Code Execution via Local File Include

Title source: llm

Description

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

References (3)

Core 3

Core References

Patch

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249

Patch, Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=451591

Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2243452

Scores

CVSS v3 6.5

EPSS 0.0147

EPSS Percentile 81.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (4)

fedoraproject/extra_packages_for_enterprise_linux 7.0

fedoraproject/fedora 38

moodle/moodle < 3.9.24

moodle/moodle 4.3.0-beta - 4.3.0-rc2Packagist

Published Nov 09, 2023

Tracked Since Feb 18, 2026