Evil Teacher: Code Injection in Moodle

Type ripstech
Reporter RIPS Technologies Blog
Modified 2018-06-12T15:33:00


Impact - Who can exploit what? An attacker must be assigned the teacher role in a course of the latest Moodle (earlier than 3.5.0) running with default configurations. Escalating to this role via another vulnerability, such as XSS, would also be possible. Given these requirements and the knowledge of the vulnerability, the adversary will be able to execute arbitrary commands on the underlying operating system of the server running Moodle.