MSA-17-0005: SQL injection via user preferences

by Marina Glancy.  

Description:PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
Issue summary:Remote Code Execution @ 3.2.1
Versions affected:3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
Versions fixed:3.2.2, 3.1.5, 3.0.9 and 2.7.19
Reported by:Netanel Rubin
Issue no.:MDL-58010
CVE identifier:CVE-2017-2641
Changes (master):

Read more