| Topic:
|
SQL injection in update_record
|
| Severity/Risk:
|
Critical
|
| Versions affected:
|
<1.9.6, <1.8.10, 1.7.x
|
| Reported by:
|
Georg-Christian Pranschke
|
| Issue no.:
|
MDL-20309
|
| Solution:
|
upgrade to latest weekly builds, 1.9.6 or 1.8.10
|
| Workaround:
|
apply patches:
- http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.116.2.32&r2=1.116.2.33
- http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.91.2.23&r2=1.91.2.24
|
Description:
Georg-Christian Pranschke discovered a serious problem in update_record function. This problem may allow any registered user to exploit several different scripts.
