Arbitrary PHP Code Execution Vulnerability in the moodle/moodle library

 

 

Arbitrary PHP Code Execution Vulnerability in the moodle/moodle library - CVE-2018-14630

Overview

Moodle is a learning platform designed to provide educators, administrators and learners with a system to create personalised learning environments. Moodle is vulnerable to arbitrary code execution. when importing ddwtos type by XML it allows importing questions that contain PHP code which will be executed when rendered.

PoC

When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Remediation

upgrade to Moode v3.5.2

resources

Ready to be protected?

14 days trial , No credit card upfront , Risk free