Main Vulnerability Database Vulnerabilities #VU43502

Information disclosure in Moodle - CVE-2012-4407

Published: September 19, 2012 / Updated: August 11, 2020

Vulnerability identifier: #VU43502

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2012-4407

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: moodle.org

Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

lib/filelib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly check the publication state of blog files, which allows remote attackers to obtain sensitive information by reading a blog entry that references a non-public file.

How to mitigate CVE-2012-4407

Install update from vendor's website.

Sources

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34585
http://moodle.org/mod/forum/discuss.php?d=211557
http://openwall.com/lists/oss-security/2012/09/17/1

Information disclosure in Moodle - CVE-2012-4407

Detailed vulnerability description

How to mitigate CVE-2012-4407

Sources

Please verify you're human