CVE-2018-14630

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-14630
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14630.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-14630
Aliases
Downstream
Published
2018-09-17T18:29:00.497Z
Modified
2026-02-15T07:30:20.594209Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type
GIT
Repo
https://github.com/moodle/moodle
Events
Introduced
268abfacc54c4cbf9722c1502569b311c7caefff
Fixed
b45c238223be0de8690f066f9c1319c220233782
Introduced
46574904afd39578fa4146bf1fc5c401ac680aa6
Fixed
bd27666c42be0c873c7d98f0e81cb226d2ca6dbd
Introduced
665c3ac59c35b7387a4fc70b8ac6600ce9ffeb87
Fixed
28f6460de388d77d95112e58463c04e69be5e208
Introduced
b87a580aa3eb23d5f05d7f619fc40a89e0f86fe5
Fixed
c37329dc106377ac4e1b7cf4603361df0fd63b48

Affected versions

v3.*
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-beta
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.3.0
v3.3.0-beta
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.4.0
v3.4.0-beta
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.5.0
v3.5.0-beta
v3.5.0-rc1
v3.5.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14630.json"