cbcvebase.
CVE-2013-3630
published 2013-11-01

CVE-2013-3630: Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a…

PriorityP346medium4.6CVSS 2.0
AVNACHAuSCPIPAP
EXPLOIT
EPSS
42.57%
98.5th percentile
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.

Affected

117 ranges· showing 25
VendorProductVersion rangeFixed in
moodlemoodle<= 2.5.2
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle
moodlemoodle

Detection & IOCsextracted from sources · hover to see the quote

url/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php
url/admin/settings.php?section=editorsettingstinymce
path/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php
command{"id":"c0","method":"checkWords","params":["en",[""]]}
others__aspellpath=<payload>
others_editor_tinymce_spellengine=PSpellShell
  • Monitor POST requests to the Moodle spellchecker RPC endpoint at /lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php with Content-Type application/json, which is the trigger point for payload execution.
  • Detect POST requests to /admin/settings.php with POST body containing 'section=systempaths' and 's__aspellpath' set to a non-standard binary path (i.e., not a legitimate aspell binary), indicating command injection into the aspell path setting.
  • Alert on POST requests to /admin/settings.php with 'section=editorsettingstinymce' and 's_editor_tinymce_spellengine=PSpellShell', which is the prerequisite configuration step for exploitation.
  • The exploit chain involves stealing an admin sesskey via a referenced XSS vulnerability (EDB-28174) to escalate from unprivileged authenticated user to admin; monitor for sesskey exfiltration patterns in conjunction with admin settings changes.
  • The JSON payload body sent to the spellchecker RPC endpoint uses method 'checkWords' — detect JSON POST bodies to rpc.php containing this method as the execution trigger.
  • ·Exploitation requires authenticated access; the attacker must either have admin credentials or leverage the companion XSS (EDB-28174) to steal an admin sesskey. Detection should account for both direct admin login and sesskey-hijacking scenarios.
  • ·The vulnerability was confirmed against Moodle versions 2.5.2 and 2.2.3; the NVD scope is 'through 2.5.2'. A closely related variant using a different variable was later identified affecting Moodle 3.8.0–3.11.2 (see moodle_spelling_path_rce.rb), so detections on the settings path should not be version-gated too narrowly.
  • ·The default TARGETURI in the Metasploit module is '/moodle/', but Moodle may be installed at the web root or other paths; detection rules should use relative path matching rather than absolute path matching.

CVSS provenance

nvdv2.04.6MEDIUMAV:N/AC:H/Au:S/C:P/I:P/A:P
osv4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.