An administrative command injection vulnerability in Moodle’s TeX filter configuration could allow an authenticated attacker to execute arbitrary commands on the underlying server.

The vulnerability exists in the administrative configuration interface for the TeX filter. An authenticated attacker with administrative privileges can input malicious strings into configuration fields which, due to a lack of sanitization, are executed by the system shell.

The potential for remote code execution (RCE) represents a critical risk to the host operating system. While the attack requires administrative access, a compromised admin account could lead to full system takeover, lateral movement within the network, and total loss of data confidentiality. The CVSS score of 7.2 underscores the high impact of the vulnerability despite the requirement for high-level authentication.

Immediate Action: Update Moodle to the latest version to apply the necessary sanitization logic to the TeX filter administrative settings.

Proactive Monitoring: Audit administrative activity logs for changes to filter configurations and monitor for suspicious shell activity originating from the web server user.

Compensating Controls: Implement the principle of least privilege by limiting the number of users with site-wide administrative access and use endpoint detection and response (EDR) tools to block unauthorized process execution.

Public Exploit Available: false

This vulnerability should be treated with urgency, as it provides a direct path from application-level access to OS-level control. Organizations must apply the vendor-provided security updates immediately. Furthermore, ensure that the web server is running with the lowest possible privileges to mitigate the impact of any successful injection.