| Topic: | Flat file enrollments has various sql injection vulnerabilities |
| Severity: | Serious |
| Versions affected: | < 1.9.13 (2.x not affected) |
| Reported by: | Matt Meisberger |
| Issue no.: | MDL-28360 |
| Solution: | upgrade to 1.9.13 |
| Workaround: | escape quotes in user upload CSV files |
Description:
When uploading a CSV files with fields containing quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption.