Vulnerability DatabaseCVE-2018-14630
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2018-14630
Published:September 17, 2018
Updated:May 17, 2026
moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
Affected Packages
moodle/moodle (PHP):
Affected version(s) >=v3.2.0 <v3.3.8
Fix Suggestion:
Update to version v3.3.8
moodle/moodle (PHP):
Affected version(s) >=v3.4.0 <v3.4.5
Fix Suggestion:
Update to version v3.4.5
moodle/moodle (PHP):
Affected version(s) >=v3.5.0 <v3.5.2
Fix Suggestion:
Update to version v3.5.2
Related Resources (15)
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630
https://github.com/moodle/moodle/commit/be092b730910ad97fff0511e177a097ec1cc4b1c
https://moodle.org/mod/forum/discuss.php?d=376023
https://nvd.nist.gov/vuln/detail/CVE-2018-14630
https://web.archive.org/web/20200227111301/https://www.securityfocus.com/bid/105354
https://seclists.org/fulldisclosure/2018/Sep/28
https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-unserialize-moodle-open-source-learning-platform-cve-2018-14630/
https://github.com/moodle/moodle/commit/da1eeea0ff3d292b7669e478abc114872dd9cc8f
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14630
https://github.com/moodle/moodle/commit/cb8aefa658cf7ad8f002a480343afb2dea94cc08
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
https://github.com/moodle/moodle/commit/cfc4393aa689c277a27b9a040ff7dcbdac4e41dd
https://github.com/moodle/moodle/commit/09cbca8566a388e8f0a1a0cfd86cd0667088ed2c
http://www.securityfocus.com/bid/105354
https://github.com/moodle/moodle
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
CWE-94
Improper Input Validation
CWE-20
EPSS
Base Score:
1.86