CVE-2023-30943
published 2023-05-02CVE-2023-30943: The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user…
PriorityP345medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
6.58%
93.0th percentile
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | extra_packages_for_enterprise_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| moodle | moodle | >= 0 < 4.2.0-rc2 | 4.2.0-rc2 |
| moodle | moodle | >= 4.1.0 < 4.1.3 | 4.1.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Moodle External Control of File Name or Path vulnerability
ghsa·2023-05-02
CVE-2023-30943 [MEDIUM] CWE-610 Moodle External Control of File Name or Path vulnerability
Moodle External Control of File Name or Path vulnerability
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
OSV
CVE-2023-30943: The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders
osv·2023-05-02·CVSS 5.3
CVE-2023-30943 [MEDIUM] CVE-2023-30943: The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
OSV
Moodle External Control of File Name or Path vulnerability
osv·2023-05-02
CVE-2023-30943 [MEDIUM] Moodle External Control of File Name or Path vulnerability
Moodle External Control of File Name or Path vulnerability
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
No detection rules found.
Nuclei
Moodle - Cross-Site Scripting/Remote Code Execution
nuclei·CVSS 5.3
CVE-2023-30943 [MEDIUM] Moodle - Cross-Site Scripting/Remote Code Execution
Moodle - Cross-Site Scripting/Remote Code Execution
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before 4.2.0 are susceptible to an unauthenticated arbitrary folder creation, tracked as CVE-2023-30943. An attacker can leverage the creation of arbitrary folders to carry out a Stored Cross-Site Scripting (XSS) attack on the administration panel, resulting in arbitrary code execution on the server as soon as an administrator visits the panel.
Template:
id: CVE-2023-30943
info:
name: Moodle - Cross-Site Scripting/Remote Code Execution
author: ritikc
No writeups or analysis indexed.
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718https://bugzilla.redhat.com/show_bug.cgi?id=2188605https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/https://moodle.org/mod/forum/discuss.php?d=446285http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718https://bugzilla.redhat.com/show_bug.cgi?id=2188605https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/https://moodle.org/mod/forum/discuss.php?d=446285
2023-05-02
Published