Moodle.org: MSA-09-0019: SQL injection in update_record | Moodle.org

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

MSA-09-0019: SQL injection in update_record

◄ MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type
MSA-09-0020: Teachers can view students' grades in all courses in the overview report ►

Topic:	SQL injection in update_record
Severity/Risk:	Critical
Versions affected:	<1.9.6, <1.8.10, 1.7.x
Reported by:	Georg-Christian Pranschke
Issue no.:	MDL-20309
Solution:	upgrade to latest weekly builds, 1.9.6 or 1.8.10
Workaround:	apply patches: http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.116.2.32&r2=1.116.2.33 http://cvs.moodle.org/moodle/lib/dmllib.php?r1=1.91.2.23&r2=1.91.2.24

Description:
Georg-Christian Pranschke discovered a serious problem in update_record function. This problem may allow any registered user to exploit several different scripts.