Boletines de Vulnerabilidades

MSA-23-0005: Authenticated arbitrary file read through malformed backup file

Información sobre el sistema
   
Software afectado PHP

Descripción
by Michael Hawkins. Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.Severity/Risk:SeriousVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:Vincent Schneider (cli-ish)Workaround:Remove restore activity/course capabilities until the patch is applied.CVE

More info:

https://moodle.org/mod/forum/discuss.php?d=445062&parent=1788895

Identificadores estándar
Propiedad Valor
CVE CVE-2023-28330.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2023-03-21

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT