Security announcements

MSA-17-0005: SQL injection via user preferences

 
Picture of Marina Glancy
MSA-17-0005: SQL injection via user preferences
 
Description: PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
Issue summary: Remote Code Execution @ 3.2.1
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
Versions fixed: 3.2.2, 3.1.5, 3.0.9 and 2.7.19
Reported by: Netanel Rubin
Issue no.: MDL-58010
CVE identifier: CVE-2017-2641
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010