CVE-2021-32474

Name of the Vulnerable Software and Affected Versions Moodle versions 3.5 to 3.5.17 Moodle versions 3.8 to 3.8.8 Moodle versions 3.9 to 3.9.6 Moodle versions 3.10 to 3.10.3

Description An SQL injection risk exists on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. This requires site administrator access or access to the keypair. The issue is due to insufficient cleaning of user-provided data in the XML-RPC call, allowing a remote attacker to execute arbitrary SQL queries.

Recommendations For Moodle versions 3.5 to 3.5.17, update to a version later than 3.5.17 to resolve the issue. For Moodle versions 3.8 to 3.8.8, update to a version later than 3.8.8 to resolve the issue. For Moodle versions 3.9 to 3.9.6, update to a version later than 3.9.6 to resolve the issue. For Moodle versions 3.10 to 3.10.3, update to a version later than 3.10.3 to resolve the issue. As a temporary workaround, consider restricting access to the XML-RPC call to minimize the risk of exploitation.