Description
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2013-5764 Vulnerability (CVE-2013-5764)
JBoss Application Server Privilege Escalation Vulnerability (CVE-2007-1354)
WordPress Plugin Front End Upload 'upload.php' Arbitrary File Upload (0.5.3)
MediaWiki CVE-2023-29140 Vulnerability (CVE-2023-29140)
Oracle Database Server CVE-2011-0822 Vulnerability (CVE-2011-0822)