Published: 26/03/2017 Updated: 16/08/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

Vulnerable Product	Search on Vulmon	Subscribe to Product
moodle moodle 2.7.6
moodle moodle 2.7.7
moodle moodle 2.7.8
moodle moodle 2.7.15
moodle moodle 2.7.16
moodle moodle 3.0.1
moodle moodle 3.0.2
moodle moodle 3.0.0
moodle moodle 3.2.0
moodle moodle 2.7.1
moodle moodle 2.7.9
moodle moodle 2.7.10
moodle moodle 2.7.17
moodle moodle 2.7.18
moodle moodle 3.0.3
moodle moodle 3.0.4
moodle moodle 3.1.0
moodle moodle 3.1.4
moodle moodle 2.7.2
moodle moodle 2.7.3
moodle moodle 2.7.11
moodle moodle 2.7.12
moodle moodle 2.7.0
moodle moodle 3.0.5
moodle moodle 3.0.6
moodle moodle 3.2.1
moodle moodle 3.1.1
moodle moodle 2.7.4
moodle moodle 2.7.5
moodle moodle 2.7.13
moodle moodle 2.7.14
moodle moodle 3.0.7
moodle moodle 3.0.8
moodle moodle 3.1.2
moodle moodle 3.1.3

# Exploit: Moodle SQL Injection via Object Injection Through User Preferences # Date: April 6th, 2017 # Exploit Author: Marko Belzetski # Contact: mbelzetski@protonmailcom # Vendor Homepage: moodleorg/ # Version: 32 to 321, 31 to 314, 30 to 308, 270 to 2718 and other unsupported versions # Tested on: Moodle 32 running on php ...

CWE-89 https://moodle.org/mod/forum/discuss.php?d=349419 http://www.securityfocus.com/bid/96977 http://www.securitytracker.com/id/1038174 https://www.exploit-db.com/exploits/41828/https://nvd.nist.gov https://www.exploit-db.com/exploits/41828/

CVE-2017-2641

Vulnerability Summary

Vulnerability Trend

Exploits

References

Vulmon Search

About

Products

Connect