Vulnerability Details : CVE-2023-30943
Potential exploit
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
Vulnerability category: File inclusion
Products affected by CVE-2023-30943
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-30943
18.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-30943
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
Fedora Project | 2024-04-19 |
CWE ids for CVE-2023-30943
-
The product allows user input to control or influence paths or file names that are used in filesystem operations.Assigned by: patrick@puiterwijk.org (Secondary)
-
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-30943
-
https://moodle.org/mod/forum/discuss.php?d=446285
Moodle.org: MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder CreationPatch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/
[SECURITY] Fedora 37 Update: moodle-4.1.3-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/
[SECURITY] Fedora 36 Update: moodle-3.11.14-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/
[SECURITY] Fedora 38 Update: moodle-4.1.3-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/54TM5H5PDUDYXOQ7X7PPYWP4AJDAE73I/
[SECURITY] Fedora 38 Update: moodle-4.1.3-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZBWRVUJF7HI53XCJPJ3YJZPOV5HBRUY/
[SECURITY] Fedora 37 Update: moodle-4.1.3-1.fc37 - package-announce - Fedora Mailing-Lists
-
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Official Moodle git projects - moodle.git/searchPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBFSXRYLT4ICKJVQSRBAOUDMDRVSVBLS/
[SECURITY] Fedora 36 Update: moodle-3.11.14-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://bugzilla.redhat.com/show_bug.cgi?id=2188605
2188605 – (CVE-2023-30943, MSA-23-0014) CVE-2023-30943 moodle: TinyMCE loaders susceptible to Arbitrary Folder CreationIssue Tracking;Patch;Third Party Advisory
Jump to