Description
theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response.
Remediation
References
Related Vulnerabilities
MySQL Deserialization of Untrusted Data Vulnerability (CVE-2019-14540)
WordPress Plugin My Site Audit Cross-Site Scripting (1.2.4)
WordPress Plugin Appointment Hour Booking-WordPress Booking Cross-Site Scripting (1.3.15)
WordPress Plugin Badgearoo Cross-Site Scripting (1.0.8)
WordPress Plugin Comment Extra Fields 'cef-upload.php' Arbitrary File Upload (1.7)