CVE-2018-14630
HIGHmoodle <3.0.10, 3.5.0-3.5.2 - Remote Code Execution via XML Import of ddwtos Quiz Questions
Title source: llmDescription
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105354
Patch, Vendor Advisory x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=376023
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
https://seclists.org/fulldisclosure/2018/Sep/28
Exploit, Third Party Advisory x_refsource_misc
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630/
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630
Scores
CVSS v3
8.8
EPSS
0.0186
EPSS Percentile
83.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
CWE-20
Status
published
Products (2)
moodle/moodle
< 3.0.10
moodle/moodle
3.5.0 - 3.5.2Packagist
Published
Sep 17, 2018
Tracked Since
Feb 18, 2026