CVE-2022-35650 — Path Traversal in Moodle

CWE-22 — Path Traversal CWE-20 — Improper Input Validation4 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora

Timeline

PublishedJul 25

Latest updateJul 26

Description

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDmoodle/moodle3.9.0 — 3.9.15+2

▶Packagistmoodle/moodle3.9 — 3.9.15+2

▶CVEListV5moodle/moodleFixed in moodle 4.0.2, moodle 3.11.8, moodle 3.9.15

Also affects: Fedora 35, 36

Patches

Patch: git.moodle.org ↗Patch: git.moodle.org ↗

🔴Vulnerability Details

OSV

Moodle Arbitrary file read when importing lesson questions↗2022-07-26

▶

GHSA

Moodle Arbitrary file read when importing lesson questions↗2022-07-26

▶

OSV

CVE-2022-35650: The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions↗2022-07-25

▶