CVE-2018-14630 — HIGH (8.8)

Q: How severe is CVE-2018-14630?

CVE-2018-14630 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-14630?

Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.

Vulnerability Description

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Moodle	Moodle	<= 3.0.10

Related Weaknesses (CWE)

CWE-20 CWE-94

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880PatchVendor Advisory
http://www.securityfocus.com/bid/105354Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630Issue TrackingPatchThird Party Advisory
https://moodle.org/mod/forum/discuss.php?d=376023PatchVendor Advisory
https://seclists.org/fulldisclosure/2018/Sep/28ExploitMailing ListThird Party Advisory
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unseriaExploitThird Party Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880PatchVendor Advisory
http://www.securityfocus.com/bid/105354Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630Issue TrackingPatchThird Party Advisory
https://moodle.org/mod/forum/discuss.php?d=376023PatchVendor Advisory
https://seclists.org/fulldisclosure/2018/Sep/28ExploitMailing ListThird Party Advisory
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unseriaExploitThird Party Advisory

FAQ

What is CVE-2018-14630?

CVE-2018-14630 is a vulnerability with a CVSS score of 8.8 (HIGH). moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) ty...

How severe is CVE-2018-14630?

CVE-2018-14630 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-14630?

Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.