Moodle Authenticated LFI risk in some misconfigured shared hosting environments
High severity
GitHub Reviewed
Published
May 31, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 4.3.0, < 4.3.4
>= 4.2.0, < 4.2.7
< 4.1.10
Patched versions
4.3.4
4.2.7
4.1.10
Description
Published by the National Vulnerability Database
May 31, 2024
Published to the GitHub Advisory Database
May 31, 2024
Reviewed
Jun 4, 2024
Last updated
Nov 18, 2024
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
References