CVE-2006-4785

Name of the Vulnerable Software and Affected Versions Moodle versions 1.6.1 and earlier

Description A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the format parameter stored in the $blogEntry variable. This variable is not properly handled by the insert record function, which calls adodb column sql in the adodb layer. The issue arises because the data type is not converted to an int.

Recommendations For Moodle versions 1.6.1 and earlier, consider restricting access to the blog/edit.php page until a fix is available. As a temporary workaround, avoid using the format parameter in the $blogEntry variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.