CVE-2021-32474

HIGH7.2EPSS 1.0%

Moodle Blind SQL injection possible via MNet authentication

發布日:2022/3/12修改日:2024/4/23

也稱為:GHSA-rvmc-8gmg-ggqrBIT-moodle-2021-32474

描述

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.

受影響套件(2)

Bitnami/moodlefrom 0, < 3.5.18, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.7, >= 3.10.0, < 3.10.4
Packagist/moodle/moodle>= 3.10, < 3.10.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32474
PATCHhttps://github.com/moodle/moodle
WEBhttps://moodle.org/mod/forum/discuss.php?d=422308