Arbitrary Code Execution

Affecting moodle/moodle package, versions >=3.8.0, <3.8.3 || >=3.7.0, <3.7.6 || >=3.6.0, <3.6.10 || >=3.5.0, <3.5.12

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

moodle/moodle is a learning platform.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.

Remediation

Upgrade moodle/moodle to version 3.8.3, 3.7.6, 3.6.10, 3.5.12 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2020-10738
CWE
CWE-94
Snyk ID
SNYK-PHP-MOODLEMOODLE-570188
Disclosed
22 May, 2020
Published
22 May, 2020