| Topic: | SQL injection in Wiki module |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Matthew Slowe |
| Issue no.: | MDL-21818 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7 or remove mod/wiki/* if wiki module not used |
Description:
Matthew Slowe discovered that the data passed to add_to_log() function in wiki module is not sanitised properly, this could allow SQL injection type attacks if there are any instances of wiki in your courses.