First published: Fri Mar 17 2023(Updated: )
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org
Affected Software | Affected Version | How to fix |
---|---|---|
Moodle Moodle | >3.9.0<3.9.20 | |
Moodle Moodle | >3.11.0<3.11.13 | |
Moodle Moodle | >4.0.0<4.0.7 | |
Moodle Moodle | =3.9.0 | |
Moodle Moodle | =3.11.0 | |
Moodle Moodle | =4.0.0 | |
Moodle Moodle | =4.1.0 | |
Moodle Moodle | =4.1.1 | |
redhat/moodle | <4.1.2 | 4.1.2 |
redhat/moodle | <4.0.7 | 4.0.7 |
redhat/moodle | <3.11.13 | 3.11.13 |
redhat/moodle | <3.9.20 | 3.9.20 |
composer/moodle/moodle | <3.9.20 | 3.9.20 |
composer/moodle/moodle | >=3.11.0<3.11.13 | 3.11.13 |
composer/moodle/moodle | >=4.0.0<4.0.7 | 4.0.7 |
composer/moodle/moodle | >=4.1.0<4.1.2 | 4.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-28330 is a vulnerability in Moodle, which allows teachers, managers, and admins to read arbitrary files through a backup feature.
Moodle versions 3.9.0 to 3.9.20, 3.11.0 to 3.11.13, 4.0.0 to 4.0.7, 4.1.0, and 4.1.1 are affected by CVE-2023-28330.
CVE-2023-28330 has a severity score of 6.5, which is considered a medium severity vulnerability.
To fix CVE-2023-28330, users should update their Moodle installation to a version that is not affected by the vulnerability.
More information about CVE-2023-28330 can be found in the references provided: [Reference 1](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/) and [Reference 2](https://moodle.org/mod/forum/discuss.php?d=445062).