PT-2018-12626 · Moodle · Moodle

Johannes Moritz

Published

2018-09-17

Updated

2022-05-13

CVE-2018-14630

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions moodle versions prior to 3.5.2 moodle versions prior to 3.4.5 moodle versions prior to 3.3.8 moodle versions prior to 3.1.14

Description The issue allows for intentional remote code execution when importing legacy 'drag and drop into text' (ddwtos) type quiz questions. This could lead to the injection and execution of PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Recommendations For versions prior to 3.5.2, update to version 3.5.2 or later. For versions prior to 3.4.5, update to version 3.4.5 or later. For versions prior to 3.3.8, update to version 3.3.8 or later. For versions prior to 3.1.14, update to version 3.1.14 or later.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-20

Related Identifiers

CVE-2018-14630

GHSA-C3PR-H96W-2JJG

Affected Products

Moodle

PT-2018-12626 · Moodle · Moodle

CVE-2018-14630

Weakness Enumeration

Related Identifiers

Affected Products

References · 20