VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 29, 2014· Updated May 6, 2026

CVE-2014-3542

CVE-2014-3542

Description

mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
<= 2.3.11
moodle/moodlePackagist
>= 2.4.0, < 2.4.112.4.11
moodle/moodlePackagist
>= 2.5.0, < 2.5.72.5.7
moodle/moodlePackagist
>= 2.6.0, < 2.6.42.6.4
moodle/moodlePackagist
>= 2.7.0, < 2.7.12.7.1

Affected products

35
  • Moodle/Moodle35 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.3.11
    • cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.3.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.4.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*

Patches

1
78ed99ec7e5e

MDL-45463 mod_lti: Prevent XML entity injections from provider

https://github.com/moodle/moodleFrederic MassartJun 10, 2014via ghsa
commit
1 file changed · +8 1
  • mod/lti/service.php+8 1 modified
    @@ -58,7 +58,14 @@
     throw new Exception('Message signature not valid');
 }
 
-$xml = new SimpleXMLElement($rawbody);
+// TODO MDL-46023 Replace this code with a call to the new library.
+$origentity = libxml_disable_entity_loader(true);
+$xml = simplexml_load_string($rawbody);
+if (!$xml) {
+    libxml_disable_entity_loader($origentity);
+    throw new Exception('Invalid XML content');
+}
+libxml_disable_entity_loader($origentity);
 
 $body = $xml->imsx_POXBody;
 foreach ($body->children() as $child) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.