CVE-2024-38530

The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
Configurations

Configuration 1 (hide)

cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*

History

13 Aug 2024, 17:17

Type Values Removed Values Added
Summary
  • (es) La plataforma Open eClass (anteriormente conocida como GUnet eClass) es un completo sistema de gestión de cursos. Una vulnerabilidad de carga de archivos arbitrarios en la funcionalidad "guardar" del módulo H5P permite a usuarios no autenticados cargar archivos arbitrarios en el sistema de archivos del servidor. Esto puede generar RCE sin restricciones en el servidor backend, ya que se puede acceder a la ubicación de carga desde Internet. Esta vulnerabilidad se solucionó en 3.16.
References () https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191 - () https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191 - Patch
References () https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg - () https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg - Exploit, Vendor Advisory
First Time Openeclass openeclass
Openeclass
CPE cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*

12 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 15:15

Updated : 2024-08-13 17:17


NVD link : CVE-2024-38530

Mitre link : CVE-2024-38530

CVE.ORG link : CVE-2024-38530


JSON object : View

Products Affected

openeclass

  • openeclass
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type