CVE-2022-35650 — Moodle Arbitrary file read when importing lesson questions

Description

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

How to fix CVE-2022-35650

To remediate CVE-2022-35650, upgrade the affected package to a fixed version below.

—upgrade to 3.9.15 or later
—upgrade to 3.9.15 or later

Is CVE-2022-35650 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.9.0, < 3.9.15, >= 3.11.0, < 3.11.8, >= 4.0.0, < 4.0.2
>= 3.9, < 3.9.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-35650
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029
WEBbugzilla.redhat.com/show_bug.cgi?id=2106274