#VU31274 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Moodle - CVE-2018-10891

Cybersecurity Help s.r.o.

Published: 2018-07-10 | Updated: 2020-07-17

Vulnerability identifier: #VU31274

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-10891

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moodle
Web applications / Other software

Vendor: moodle.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moodle: 3.5.0 beta - 3.5.0

External links
https://www.securityfocus.com/bid/104739
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10891
https://moodle.org/mod/forum/discuss.php?d=373371

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora EPEL 7 update for moodle

Fedora 28 update for moodle

Fedora EPEL 7 update for moodle

Fedora 27 update for moodle

Multiple vulnerabilities in moodle Moodle