Vulnerability Bulletins

MSA-23-0005: Authenticated arbitrary file read through malformed backup file

System information

Affected software PHP


di Michael Hawkins. Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.Severity/Risk:SeriousVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:Vincent Schneider (cli-ish)Workaround:Remove restore activity/course capabilities until the patch is applied.CVE

More info:

Standar resources

Property Value
CVE CVE-2023-28330.

Version history

Version Comments Date
1.0 Advisory issued 2023-04-28
Ministerio de Defensa
Presidencia española. Consejo de la Unión Europea