MSA-18-0012: Portfolio script allows instantiation of class chosen by user

by Marina Glancy.  

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack


Severity/Risk:Serious
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:Brendan Cox
Workaround:Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier:CVE-2018-1137
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62233
Tracker issue:MDL-62233 Portfolio script allows instantiation of class chosen by user

Read more https://moodle.org/mod/forum/discuss.php?d=371204&parent=1496358