Full title: Moodle SpellChecker Path Authenticated Remote Command Execution Exploit 
Category: web applications
Platform: php
Moodle allows an authenticated administrator to define spellcheck settings via the web interface. An administrator can update the aspell path to include a command injection. This is extremely similar to CVE-2013-3630, just using a different variable. This Metasploit module was tested against Moodle versions 3.11.2, 3.10.0, and 3.8.0.

# 0day.today @ http://0day.today/