GHSA-cr78-rphw-w73p

Source

https://github.com/advisories/GHSA-cr78-rphw-w73p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cr78-rphw-w73p/GHSA-cr78-rphw-w73p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cr78-rphw-w73p

Aliases

CVE-2012-6099

Published

2022-05-13T01:12:55Z

Modified

2024-12-07T05:27:37.301539Z

Summary

Moodle Arbitrary File Read via Backup Functionality

Details

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.

Database specific

{
    "nvd_published_at": "2013-01-27T22:55:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-29T21:00:53Z"
}

References

Affected packages

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4

Fixed

2.4.1

Affected versions

2.*

2.4

v2.*

v2.4.0-rc1

v2.4.0

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3

Fixed

2.3.4

Database specific

{
    "last_known_affected_version_range": "<= 2.3.3"
}

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2

Fixed

2.2.7

Database specific

{
    "last_known_affected_version_range": "<= 2.2.6"
}

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1

Fixed

2.1.10

Database specific

{
    "last_known_affected_version_range": "<= 2.1.9"
}