Evil Teacher: Code Injection in Moodle

2018-06-12T15:33:00
ID RIPSTECH:BEB6EBE8424B17291FAE79F3E66E0CD6
Type ripstech
Reporter RIPS Technologies Blog
Modified 2018-06-12T15:33:00

Description

Impact - Who can exploit what? An attacker must be assigned the teacher role in a course of the latest Moodle (earlier than 3.5.0) running with default configurations. Escalating to this role via another vulnerability, such as XSS, would also be possible. Given these requirements and the knowledge of the vulnerability, the adversary will be able to execute arbitrary commands on the underlying operating system of the server running Moodle.