Main Vulnerability Database Vulnerabilities #VU89544

PHP file inclusion in Moodle - CVE-2024-34002

Published: May 15, 2024

Vulnerability identifier: #VU89544

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-34002

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Moodle

Software vendor:
moodle.org

Description

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files in some misconfigured shared hosting environments via modified mod_feedback backup. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

External links

https://moodle.org/mod/forum/discuss.php?d=458390
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81135

PHP file inclusion in Moodle - CVE-2024-34002

Description

Remediation

External links

Please verify you're human