SQL Injection Vulnerability in Moodle by Moodle
CVE-2023-28329

8.8HIGH

Key Information:

Vendor: Moodle
Status: moodle
Vendor: CVE Published:; 23 March 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-28329?

The vulnerability arises from insufficient validation of the availability condition for profile fields in Moodle, potentially allowing unauthorized access to sensitive data through SQL injection. By default, this risk is primarily available to users with teacher or manager roles, which raises significant concerns about the security of user information and the integrity of data. It is crucial for affected users to apply security updates promptly to mitigate the risks associated with this vulnerability.

Affected Version(s)

moodle 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-28329
Created by cli-ish

References

https://moodle.org/mod/forum/discuss.php?d=445061

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 18, 2023
👾
Exploit known to exist
Oct 18, 2023
Vulnerability published
Mar 23, 2023
Vulnerability Reserved
Mar 14, 2023