Main Vulnerability Database Vulnerabilities #VU40744

Improper access control in Moodle - CVE-2015-2267

Published: June 1, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40744

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2015-2267

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: moodle.org

Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote #AU# to manipulate data.

mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.

How to mitigate CVE-2015-2267

Install update from vendor's website.

Sources

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087
http://openwall.com/lists/oss-security/2015/03/16/1
https://moodle.org/mod/forum/discuss.php?d=307381

Improper access control in Moodle - CVE-2015-2267

Detailed vulnerability description

How to mitigate CVE-2015-2267

Sources

Please verify you're human