Topic: | Incorrect escaping when updating first post in a single simple discussion forum type |
Severity/Risk: | Minor |
Versions affected: | <1.9.6, <1.8.10 |
Reported by: | Nicola Vitacolonna |
Issue no.: | MDL-20555 |
Solution: | upgrade to latest weekly build or 1.9.6 |
Workaround: | none |
Description:
Nicola Vitacolonna discovered forum introduction is incorrectly escaped when editing the first post of a single simple discussion forum. This can potentially lead to SQL injection attacks by teachers. Students can not exploit this problem.