#VU31206 Code Injection in Moodle - CVE-2018-14630

Cybersecurity Help s.r.o.

Published: 2018-09-17 | Updated: 2020-07-17

Vulnerability identifier: #VU31206

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14630

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moodle
Web applications / Other software

Vendor: moodle.org

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moodle: 3.5.0 beta - 3.5.1

External links
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
https://www.securityfocus.com/bid/105354
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630
https://moodle.org/mod/forum/discuss.php?d=376023
https://seclists.org/fulldisclosure/2018/Sep/28
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in moodle Moodle