GHSA-27j2-c838-c3qg

Source

https://github.com/advisories/GHSA-27j2-c838-c3qg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-27j2-c838-c3qg/GHSA-27j2-c838-c3qg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-27j2-c838-c3qg

Aliases

CVE-2014-3543

Published

2022-05-13T01:12:40Z

Modified

2024-12-07T05:46:47.756289Z

Summary

Moodle Arbitrary File Read via XML External Entity vulnerability

Details

mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.

Database specific

{
    "nvd_published_at": "2014-07-29T11:10:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-15T22:20:28Z"
}

References

Affected packages

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.1

Affected versions

2.*

2.7.0

v2.*

v2.7.0

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

2.6.4

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.6.3

Database specific

{
    "last_known_affected_version_range": "<= 2.6.3"
}

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.7

Affected versions

v2.*

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

Database specific

{
    "last_known_affected_version_range": "<= 2.5.6"
}

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.11

Affected versions

v2.*

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.4.0-rc1

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

Database specific

{
    "last_known_affected_version_range": "<= 2.4.10"
}