Moodle SpellChecker Path Authenticated Remote Command Execution

Discussion in 'News Aggregator' started by Packet Storm, 13 Oct 2021.

  1. Packet Storm

    Packet Storm Guest

    Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This Metasploit module was tested against Moodle versions 3.11.2, 3.10.0, and 3.8.0.

    Continue reading...
     

Share This Page

Loading...