Cyber Resilience

CVE-2023-30943

Medium

Published: 02 May 2023

Published
02 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.2651 96.4th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30943 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability affects Moodle and stems from improper handling of folder paths in TinyMCE loaders, where user input can control the destination directory. This allows creation of arbitrary folders via external control of file paths, tracked under CWE-73 and CWE-610, with a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and high integrity impact without requiring authentication.

A remote attacker can exploit the flaw by sending a specially crafted HTTP request that manipulates the folder creation path in the TinyMCE component. Successful exploitation enables the attacker to create arbitrary directories on the underlying system, potentially facilitating further unauthorized modifications or preparation for additional attacks, though user interaction is required per the CVSS metrics.

Advisories reference a Moodle git commit addressing MDL-77718 along with Red Hat and Fedora package updates that distribute the necessary patches to affected installations. These updates are available through standard distribution channels to remediate the path control issue. The associated EPSS score has remained stable near 0.26 with no material increase after disclosure.

EU & UK References

Vulnerability details

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the…

more

system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

moodle
moodle
4.1.0 — 4.1.3
fedoraproject
extra packages for enterprise linux
7.0
fedoraproject
fedora
36, 37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

addresses: CWE-610

Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.

References