cbcvebase.
CVE-2018-1133
published 2018-05-25

CVE-2018-1133: An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
32.23%
98.1th percentile
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

Affected

8 ranges
VendorProductVersion rangeFixed in
moodlemoodle>= 3.1 < 3.1.123.1.12
moodlemoodle3.1.0 – 3.1.11
moodlemoodle>= 3.2 < 3.2.93.2.9
moodlemoodle3.2.0 – 3.2.8
moodlemoodle>= 3.3 < 3.3.63.3.6
moodlemoodle3.3.0 – 3.3.5
moodlemoodle>= 3.4 < 3.4.33.4.3
moodlemoodle3.4.0 – 3.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/login/index.php
url/course/view.php
url/course/jumpto.php
url/course/modedit.php
url/mod/quiz/edit.php
url/question/question.php?courseid=
other /*{a*/`$_GET[0]`;//{x}}
cookieMoodleSession
  • Monitor POST requests to /question/question.php with qtype=calculated containing eval-injectable answer fields such as backtick-wrapped $_GET references (e.g., `$_GET[0]`) in the answer[0] parameter.
  • Detect exploitation attempts by looking for the pattern /*{a*/`...`;//{x}} in HTTP POST bodies targeting Moodle calculated question endpoints, which is the eval-injection payload structure.
  • The exploit follows a specific multi-step HTTP sequence: login → course load → enable editing → add quiz → configure quiz → add calculated question → submit evil answer formula. Correlating this sequence from a single session is a strong indicator of exploitation.
  • The vulnerability is tracked as MSA-18-0007 and described as: Calculated question type allows remote code execution by Question authors. Monitor teacher-role accounts creating Calculated questions.
  • ·Exploitation requires a valid teacher (or question author) account on the Moodle instance and a course ID that the teacher has access to; unauthenticated exploitation is not possible.
  • ·The exploit PoC targets Moodle 3.4.1 specifically; the CVE affects Moodle 3.x broadly. Verify affected version range before scoping detection.
  • ·The reverse shell payload in the PoC uses Python and /bin/sh; server environments without Python or with restricted shell access may require a different payload, meaning the specific command IOC may vary in real attacks.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.