Main Vulnerability Database SB2018091724

SB2018091724 - Fedora EPEL 7 update for moodle

Published: September 17, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018091724

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2018-14630)

The vulnerability allows a remote authenticated user to execute arbitrary code.

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-c0e0064bf7