vulnerability
Moodle: Improper Limitation of a Pathname to a Restricted Directory (CVE-2022-35650)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Jul 25, 2022 | Aug 3, 2022 | May 7, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Jul 25, 2022
Added
Aug 3, 2022
Modified
May 7, 2026
Description
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.
Solution
moodle-upgrade-latest
References
- CVE-2022-35650
- https://attackerkb.com/topics/CVE-2022-35650
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029
- https://bugzilla.redhat.com/show_bug.cgi?id=2106274
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V/
- https://moodle.org/mod/forum/discuss.php?d=436457
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-6384
- CWE-22
- CWE-20
- EUVD-EUVD-2022-6384
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.