Main Vulnerability Database Vulnerabilities #VU42569

Code Injection in Moodle - CVE-2013-5674

Published: September 16, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42569

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-5674

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: moodle.org

Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.

How to mitigate CVE-2013-5674

Install update from vendor's website.

Sources

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924
https://moodle.org/mod/forum/discuss.php?d=238397

Code Injection in Moodle - CVE-2013-5674

Detailed vulnerability description

How to mitigate CVE-2013-5674

Sources

Please verify you're human