{"api_version":"1","generated_at":"2026-05-08T07:41:03+00:00","cve":"CVE-2018-1137","urls":{"html":"https://cve.report/CVE-2018-1137","api":"https://cve.report/api/cve/CVE-2018-1137.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1137","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1137"},"summary":{"title":"CVE-2018-1137","description":"An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-05-25 12:29:00","updated_at":"2018-06-25 21:54:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/104307","name":"104307","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Moodle Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://moodle.org/mod/forum/discuss.php?d=371204","name":"https://moodle.org/mod/forum/discuss.php?d=371204","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Moodle.org: MSA-18-0012: Portfolio script allows instantiation of class chosen by user","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1137","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1137","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1137","vulnerable":"1","versionEndIncluding":"3.1.11","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"moodle","cpe5":"moodle","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1137","vulnerable":"1","versionEndIncluding":"3.2.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"moodle","cpe5":"moodle","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1137","vulnerable":"1","versionEndIncluding":"3.3.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"moodle","cpe5":"moodle","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1137","vulnerable":"1","versionEndIncluding":"3.4.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"moodle","cpe5":"moodle","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2018-1137","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Moodle 3.x unknown","version":{"version_data":[{"version_value":"Moodle 3.x unknown"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"incorrect access control"}]}]},"references":{"reference_data":[{"name":"104307","refsource":"BID","url":"http://www.securityfocus.com/bid/104307"},{"name":"https://moodle.org/mod/forum/discuss.php?d=371204","refsource":"CONFIRM","url":"https://moodle.org/mod/forum/discuss.php?d=371204"}]}},"nvd":{"publishedDate":"2018-05-25 12:29:00","lastModifiedDate":"2018-06-25 21:54:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.0","versionEndIncluding":"3.4.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3.0","versionEndIncluding":"3.3.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndIncluding":"3.1.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.0","versionEndIncluding":"3.2.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1137","Ordinal":"116368","Title":"CVE-2018-1137","CVE":"CVE-2018-1137","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1137","Ordinal":"1","NoteData":"An issue was discovered in Moodle 3.x. By substituting URLs in portfolios, users can instantiate any class. This can also be exploited by users who are logged in as guests to create a DDoS attack.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1137","Ordinal":"2","NoteData":"2018-05-25","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1137","Ordinal":"3","NoteData":"2018-05-30","Type":"Other","Title":"Modified"}]}}}