PT-2022-6698 · Moodle+2 · Moodle+2

Paul Holden

Published

2022-01-17

Updated

2024-03-06

CVE-2022-0332

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Moodle versions 3.11 to 3.11.4

Description A flaw was found in the h5p activity web service of Moodle, which is responsible for fetching user attempt data. This flaw is related to insufficient protection of the SQL query structure, allowing for SQL injection. The vulnerability can be exploited by a remote attacker to execute arbitrary SQL queries in the database, potentially leading to reading, deleting, or modifying data in the database and gaining full control over the vulnerable application.

Recommendations For Moodle versions 3.11 to 3.11.4, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2022-1064

ALT-PU-2022-1476

ALT-PU-2022-1641

ALT-PU-2022-2450

BDU:2023-03479

BIT-MOODLE-2022-0332

CVE-2022-0332

GHSA-6JHM-4VMX-MR76

Affected Products

Alt Linux

Moodle

Red Os

PT-2022-6698 · Moodle+2 · Moodle+2

CVE-2022-0332

Weakness Enumeration

Related Identifiers

Affected Products

References · 22