Security announcements

MSA-18-0007: Calculated question type allows remote code execution by Question authors

 
Picture of Marina Glancy
MSA-18-0007: Calculated question type allows remote code execution by Question authors
 

Teacher creating Calculated question can intentionally cause remote code execution on server


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Robin Peraglie
CVE identifier: CVE-2018-1133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62275
Tracker issue: MDL-62275, MDL-62469 Calculated question type allows remote code execution by Question authors