By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server
Severity/Risk: | Serious |
Versions affected: | 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions |
Versions fixed: | 3.4.1, 3.3.4, 3.2.7 and 3.1.10 |
Reported by: | Thomas DeVoss |
CVE identifier: | CVE-2018-1042 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61131 |
Tracker issue: | MDL-61131 Server Side Request Forgery in /repository/repository_ajax.php (Critical for Cloud Hosted Moodle Instances) |