vulnerability

Moodle: Unrestricted Upload of File with Dangerous Type (CVE-2016-9187)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Nov 4, 2016

Added

Sep 14, 2017

Modified

May 7, 2026

Description

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

Solution

moodle-upgrade-latest

References

CVE-2016-9187
https://attackerkb.com/topics/CVE-2016-9187
http://www.securityfocus.com/bid/94191
https://packetstormsecurity.com/files/139466/Moodle-CMS-3.1.2-Cross-Site-Scripting-File-Upload.html
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-2536
CWE-434
EUVD-EUVD-2022-2536

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report