Evil Teacher: Code Injection in Moodle

12 Jun 2018 by Robin PeraglieMoodle is a widely-used open-source e-Learning software with more than 127 million users allowing teachers and students to digitally manage course activities and exchange learning material, often deployed by large universities. In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release detected by RIPS Code Analysis. It is located in the Quiz component of Moodle and can be successfully exploited through the teacher role in order to perform remote code execution. If you are running Moodle < 3.5.0 we highly recommend to update your instances to the newest version immediately.Impact – Who can exploit what?An attacker must be assigned the teacher role in a course of the latest Moodle (earlier than 3.5.0) running with default configurations. Escalating to this role via another vulnerability, such as XSS, would also be possible. Given these requirements and the knowledge of

Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/lK65Y_Hjo3I/

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: