CVE-2013-5674
Moodle 2.5.x - PHP Object Injection via Badge Description Unserialization
Title source: llmDescription
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.
References (2)
Core 2
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=238397
Scores
EPSS
0.0057
EPSS Percentile
68.8%
Details
CWE
CWE-94
Status
published
Products (2)
moodle/moodle
2.5.0
moodle/moodle
2.5.1
Published
Sep 16, 2013
Tracked Since
Feb 18, 2026