CVE-2018-14630

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-14630

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14630.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-14630

Aliases

GHSA-c3pr-h96w-2jjg

Downstream

UBUNTU-CVE-2018-14630

Published

2018-09-17T18:29:00.497Z

Modified

2026-04-10T04:05:57.271452Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type

GIT

Repo

https://github.com/moodle/moodle

Events

Introduced

Last affected

0bd0ee444a07818fc495c95697ea1ec1a6abeefb

Introduced

268abfacc54c4cbf9722c1502569b311c7caefff

Fixed

b45c238223be0de8690f066f9c1319c220233782

Introduced

b87a580aa3eb23d5f05d7f619fc40a89e0f86fe5

Fixed

c37329dc106377ac4e1b7cf4603361df0fd63b48

Introduced

665c3ac59c35b7387a4fc70b8ac6600ce9ffeb87

Fixed

28f6460de388d77d95112e58463c04e69be5e208

Introduced

46574904afd39578fa4146bf1fc5c401ac680aa6

Fixed

bd27666c42be0c873c7d98f0e81cb226d2ca6dbd

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.10"
        },
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.1.14"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.8"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.5"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.2"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.1

v2.1.0

v2.2.0

v2.2.0-beta

v2.2.0-rc1

v2.3.0

v2.3.0-beta

v2.3.0-rc1

v2.4.0

v2.4.0-beta

v2.4.0-rc1

v2.5.0

v2.5.0-beta

v2.5.0-rc1

v2.6.0

v2.6.0-beta

v2.6.0-rc1

v2.7.0

v2.7.0-beta

v2.7.0-rc1

v2.7.0-rc2

v2.8.0

v2.8.0-beta

v2.8.0-rc1

v2.8.0-rc2

v2.9.0

v2.9.0-beta

v2.9.0-rc1

v2.9.0-rc2

v3.*

v3.0.0

v3.0.0-beta

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.0.1

v3.0.10

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14630.json"