Description
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.
Remediation
References
Related Vulnerabilities
OpenSSL Cryptographic Issues Vulnerability (CVE-2013-6450)
WordPress Plugin Easy2Map Photos Cross-Site Scripting (2.0.6)
WordPress Denial of Service Vulnerability (0.70 - 3.6.1)
WordPress Plugin DMCA WaterMarker Cross-Site Scripting (1.0)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-2097)