CVE-2018-1137

HIGH

Moodle 3.1.0-3.1.11 - Unauthenticated Denial of Service via Portfolio URL Substitution

Title source: llm
STIX 2.1

Description

An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104307
Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=371204

Scores

CVSS v3 8.1
EPSS 0.0027
EPSS Percentile 50.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
moodle/moodle 3.1 - 3.1.12Packagist
moodle/moodle 3.1.0 - 3.1.11
Published May 25, 2018
Tracked Since Feb 18, 2026