CVE-2018-14630 – moodle/moodle

Package

Manager: composer
Name: moodle/moodle
Vulnerable Version: >=3.5.0 <3.5.2 || >=3.4.0 <3.4.5 || >=3.2.0 <3.3.8 || >=0 <3.1.14

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02086 pctl0.83337

Details

Moodle XML import of ddwtos could lead to intentional remote code execution moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Metadata

Created: 2022-05-13T01:34:31Z
Modified: 2024-01-26T18:00:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c3pr-h96w-2jjg/GHSA-c3pr-h96w-2jjg.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-c3pr-h96w-2jjg
Finding: F416
Auto approve: 1