CVE-2021-32474
Moodle Blind SQL injection possible via MNet authentication
7.2
HIGH
CVSS 3.1
EPSS 1.0%
Description
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
How to fix CVE-2021-32474
To remediate CVE-2021-32474, upgrade the affected package to a fixed version below.
- —upgrade to 3.5.18 or later
- —upgrade to 3.10.4 or later
Is CVE-2021-32474 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
- >= 3.10, < 3.10.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |