SQL Injection Risk in Moodle's XML-RPC Component Affecting Multiple Versions
CVE-2021-32474

7.2HIGH

Key Information:

Vendor: Moodle
Status: Moodle
Vendor: CVE Published:; 11 March 2022

What is CVE-2021-32474?

A SQL injection vulnerability exists in Moodle due to improper validation of XML-RPC calls from connected peer hosts with MNet enabled and configured. Exploitation of this vulnerability requires site administrator access or possession of the necessary keypair, making it crucial for administrators to implement the latest updates to prevent unauthorized data access on affected Moodle versions.

Affected Version(s)

moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17

References

https://moodle.org/mod/forum/discuss.php?d=422308

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2022
Vulnerability Reserved
May 7, 2021

CVE-2021-32474 Data

JSON