CVE-2018-1133 in Moodle
Summary
by MITRE
An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/27/2025
The vulnerability identified as CVE-2018-1133 represents a critical security flaw in Moodle version 3.x that allows authenticated teachers to execute arbitrary code on the underlying server through a specially crafted Calculated question. This issue stems from inadequate input validation and sanitization within the question type processing mechanism, specifically affecting the way Moodle handles mathematical expressions and variable substitutions in calculated questions. The vulnerability exists in the core Moodle question engine where user-supplied data is processed without proper security controls, creating a path for malicious actors to inject and execute code remotely.
The technical exploitation of this vulnerability occurs through the Calculated question type which allows teachers to create questions with mathematical formulas that include variables and expressions. When a teacher creates such a question, the system processes the mathematical expressions and variable substitutions in a manner that fails to properly escape or validate user input. This creates an eval injection scenario where malicious code can be embedded within the mathematical expressions, which are then executed by the server when the question is processed or displayed. The vulnerability is particularly dangerous because it requires only teacher-level privileges, which are commonly granted in educational environments, making exploitation relatively accessible.
The operational impact of CVE-2018-1133 is severe and far-reaching for educational institutions using Moodle platforms. Successful exploitation allows attackers to execute arbitrary commands on the server with the privileges of the web application, potentially leading to complete system compromise. Attackers could gain access to sensitive student data, manipulate course content, establish persistent backdoors, or use the compromised server as a launch point for further attacks within the network. The vulnerability affects the integrity and confidentiality of the entire Moodle installation, as it allows for unauthorized code execution that could be used to exfiltrate data, modify user accounts, or disrupt educational services. Organizations may face regulatory compliance issues and reputational damage if such attacks occur.
This vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and specifically relates to the improper handling of dynamic code generation within the application. The issue also maps to ATT&CK technique T1059.001, "Command and Scripting Interpreter: PowerShell", though in this case the attack vector involves the execution of arbitrary code through the Moodle platform rather than PowerShell specifically. Organizations should implement immediate mitigations including upgrading to patched versions of Moodle, implementing network segmentation to limit access to the web server, and monitoring for suspicious question creation activities. Additionally, administrators should consider restricting teacher privileges where possible and implementing proper input validation controls at multiple layers of the application to prevent similar injection vulnerabilities from occurring in the future.