Code Injection in Moodle - CVE-2018-14630
Published: September 17, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31206
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-14630
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: moodle.org
Affected software:
Moodle
Moodle
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
How to mitigate CVE-2018-14630
Install update from vendor's website.
Sources
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
- http://www.securityfocus.com/bid/105354
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630
- https://moodle.org/mod/forum/discuss.php?d=376023
- https://seclists.org/fulldisclosure/2018/Sep/28
- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630/