Description

Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts.

Remediation

References

CVE-2015-1493

Related Vulnerabilities

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-42048)

WordPress Plugin Wordpress Poll SQL Injection (36)

WordPress Plugin Charitable-Donation Cross-Site Scripting (1.6.50)

WordPress Plugin Product Catalog SQL Injection (3.9.8)

PHP Other Vulnerability (CVE-2014-0236)

Severity

Medium

Classification

CVE-2015-1493 CWE-22

Tags

Missing Update Known Vulnerabilities