by Marina Glancy.
|Description:||PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.|
|Issue summary:||Remote Code Execution @ 3.2.1|
|Versions affected:||3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions|
|Versions fixed:||3.2.2, 3.1.5, 3.0.9 and 2.7.19|
|Reported by:||Netanel Rubin|