VDB
CVE-2018-14630
CVE-2018-14630
PUBLISHED
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
EPSS 1.86% · 83.4th percentile
Risk Scores
EPSS Score
1.86%
83.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | moodle | 3.0.3+dfsg-0ubuntu1, 0 |
| Ubuntu:16.04:LTS | moodle | 0, 2.7.9+dfsg-1, 2.7.10+dfsg-1 |
Exploit Intelligence
- https://seclists.org/fulldisclosure/2018/Sep/28 (nist-nvd)
- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630/ (nist-nvd)
- Moodle 3.x PHP Unserialize Remote Code Execution Exploit (0day-today)
- Moodle 3.x PHP Unserialize Remote Code Execution Exploit (0day-today)
Timeline
- Sep 17, 2018 CVE Published
- Sep 19, 2018 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-14630 third-party-advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880 third-party-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630 third-party-advisory
- https://moodle.org/mod/forum/discuss.php?d=376023 third-party-advisory
- https://claudiospiess.com/posts/exploiting-moodle/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-14630 third-party-advisory