Description

Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.

Remediation

References

CVE-2007-1647

Related Vulnerabilities

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-15005)

WordPress Plugin Slimstat Analytics PHP Object Injection (4.7)

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-7939)

Liferay DXP Incorrect Default Permissions Vulnerability (CVE-2024-25605)

WordPress Plugin 301 Redirects-Easy Redirect Manager Security Bypass (2.40)

Severity

High

Classification

CVE-2007-1647

Tags

Missing Update Known Vulnerabilities