Description
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
http://moodle.org/mod/forum/discuss.php?d=101402
Exploit, Vendor Advisory x_refsource_misc
http://cvs.moodle.org/moodle/mod/hotpot/report.php?r1=1.8.6.1&r2=1.8.6.2
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2008/dsa-1691
Scores
EPSS
0.0042
EPSS Percentile
62.1%
Details
CWE
CWE-89
Status
published
Products (2)
debian/debian_linux
4.0
moodle/moodle
1.6 - 1.6.7
Published
Feb 13, 2009
Tracked Since
Feb 18, 2026