CVE-2021-40694 : Insufficient escaping of the LaTeX preamble made it possible for site administra

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

Published 2022-09-29 03:15:14

Updated 2022-10-03 14:39:36

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-40694

Moodle » Moodle
Versions before (<) 3.9.10
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle
Versions from including (>=) 3.11.0 and before (<) 3.11.3
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle
Versions from including (>=) 3.10.0 and before (<) 3.10.7
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	1.2	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Assigned by: nvd@nist.gov (Primary)

https://bugzilla.redhat.com/show_bug.cgi?id=2043421

2043421 – (CVE-2021-40694) CVE-2021-40694 moodle: arbitrary file read by site administrators via LaTeX preamble
Issue Tracking;Third Party Advisory

Jump to