CVE-2023-45880

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-45880

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45880.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-45880

Published

2023-11-14T06:15:29.203Z

Modified

2026-04-10T05:16:32.614450Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

References

https://herolab.usd.de/security-advisories/usd-2023-0022/

Affected packages

Git / github.com/gibbonedu/core

Affected ranges

Type

GIT

Repo

https://github.com/gibbonedu/core

Events

Introduced

Last affected

a563d781ae7202d5d14ec6bbbbba08bbda0e3e4d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "25.0.00"
        }
    ]
}

Affected versions

Other

PR_Attendance

PR_Markbook_Sidebar

PR_Timetable_Tools

test-tag-3b

test-tag-4

test-tag-5

v10.*

v10.0.00

v11.*

v11.0.00

v12.*

v12.0.00

v14.*

v14.0.00

v14.0.01

v15.*

v15.0.00

v15.0.01

v16.*

v16.0.00

v16.0.01

v17.*

v17.0.00

v18.*

v18.0.00

v18.0.01

v19.*

v19.0.00

v20.*

v20.0.00

v21.*

v21.0.00

v22.*

v22.0.00

v22.0.00-pre

v23.*

v23.0.00

v23.0.00-testbuild2

v24.*

v24.0.00

v24.0.01

v25.*

v25.0.00

v7.*

v7.0.00

v7.0.01

v7.1.00

v7.1.01

v7.1.02

v8.*

v8.0.00

v8.0.01

v8.0.02

v8.0.03

v8.0.04

v8.0.05

v8.0.06

v8.1.00

v8.2.00

v8.3.00

v9.*

v9.0.00

v9.1.00

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45880.json"