CVE-2023-30943 PoC — Moodle 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-30943.yaml

Associated Vulnerability

Title:Moodle 安全漏洞 (CVE-2023-30943)
Description:Moodle是一套免费、开源的电子学习软件平台，也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle存在安全漏洞，该漏洞源于允许用户控制要在TinyMCE加载程序中创建的旧文件的路径，远程用户可以发送特制的HTTP请求并在系统上创建任意文件夹。

Description

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before 4.2.0 are susceptible to an unauthenticated arbitrary folder creation, tracked as CVE-2023-30943. An attacker can leverage the creation of arbitrary folders to carry out a Stored Cross-Site Scripting (XSS) attack on the administration panel, resulting in arbitrary code execution on the server as soon as an administrator visits the panel.

File Snapshot


 id: CVE-2023-30943

info:
  name: Moodle - Cross-Site Scripting/Remote Code Execution
  author: riti

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!