ALT-PU-2022-1476-2

BDU:2022-01636

HIGH8.8

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры запроса SQL , позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Published: 2022-03-31

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2022-0983

BDU:2022-01638

MEDIUM6.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю настроить значки курса с помощью критериев поля профиля

Published: 2022-03-31

CVSS 3.xMEDIUM 6.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2022-0984

CVE-2022-0983

HIGH8.8

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Published: 2022-03-25Modified: 2024-11-21

CVSS 2.0MEDIUM 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2022-0984

MEDIUM4.3

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Published: 2022-04-29Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

CVE-2022-0985

MEDIUM4.3

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

Published: 2022-04-29Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

GHSA-6q9g-3vfq-q2qj

MEDIUM4.3

Improper Authentication in moodle

Published: 2022-04-30Modified: 2022-05-25

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

GHSA-c5hf-mc85-2hx4

MEDIUM4.3

Missing authorization in Moodle

Published: 2022-04-30Modified: 2022-05-25

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

GHSA-h2fw-93qx-vrcq

HIGH8.8

SQL Injection in Moodle

Published: 2022-03-26Modified: 2022-04-01

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Package update moodle in branch sisyphus

Closed issues (8)

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

Improper Authentication in moodle

Missing authorization in Moodle

SQL Injection in Moodle