Bug 2243432 (CVE-2023-5540, MSA-23-0032)

Summary: CVE-2023-5540 moodle: authenticated remote code execution risk in IMSCP
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ntait, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 4.2.3, moodle 4.1.6, moodle 4.0.11, moodle 3.11.17, moodle 3.9.24 Doc Type: If docs needed, set a value
Doc Text:
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244898, 2244899    
Bug Blocks: 2243346    

Description Robb Gatica 2023-10-11 23:41:07 UTC
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.

Comment 2 Nick Tait 2023-10-18 20:44:40 UTC
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2244898]
Affects: fedora-all [bug 2244899]