CVE-2023-30943

Name of the Vulnerable Software and Affected Versions Moodle versions 4.1.x through 4.1.2 Moodle versions 4.2.x through 4.1.9 is not correct, the correct is: Moodle versions 4.2.x before 4.2.0

Description The issue exists because the application allows a user to control the path of the folder to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. This can lead to unauthenticated arbitrary folder creation, and potentially to remote code execution (RCE).

Recommendations For Moodle versions 4.1.x through 4.1.2, update to version 4.1.3 or later. For Moodle versions 4.2.x before 4.2.0, update to version 4.2.0 or later. As a temporary workaround, consider disabling the TinyMCE loaders until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.