GHSA-cr78-rphw-w73p

Suggest an improvement
Source
https://github.com/advisories/GHSA-cr78-rphw-w73p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cr78-rphw-w73p/GHSA-cr78-rphw-w73p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cr78-rphw-w73p
Aliases
  • CVE-2012-6099
Published
2022-05-13T01:12:55Z
Modified
2024-12-07T05:39:08.305441Z
Summary
Moodle Arbitrary File Read via Backup Functionality
Details

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.

Database specific
{
    "nvd_published_at": "2013-01-27T22:55:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-29T21:00:53Z"
}
References

Affected packages

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4
Fixed
2.4.1

Affected versions

2.*

2.4

v2.*

v2.4.0-rc1
v2.4.0

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3
Fixed
2.3.4

Database specific

{
    "last_known_affected_version_range": "<= 2.3.3"
}

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.7

Database specific

{
    "last_known_affected_version_range": "<= 2.2.6"
}

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1
Fixed
2.1.10

Database specific

{
    "last_known_affected_version_range": "<= 2.1.9"
}