Moodle — CWE-89

An SQL injection risk was identified in the module list filter within course search.

A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

A limited SQL injection risk was identified in the "browse list of users" site administration page.

A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are…

In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is …