CVE-2023-30943 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-30943

CVE-2023-30943

May 02, 2023

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Related Resources (15)

https://moodle.org/mod/forum/discuss.php?d=446285

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/

https://bugzilla.redhat.com/show_bug.cgi?id=2188605

https://nvd.nist.gov/vuln/detail/CVE-2023-30943

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS

https://github.com/moodle/moodle/commit/59d42e1ed23f916dcb47d53c745bef18a116d800

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY

https://github.com/moodle/moodle

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718

Do you need more information?

CVSS v4

Base Score:

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

External Control of File Name or Path

CWE-73

Externally Controlled Reference to a Resource in Another Sphere

CWE-610

EPSS

Base Score:

16.36

Products

Solutions

Resources

Company

Compare

Developer Tools