CVE-2013-4313
Moodle < 2.2.11, 2.3.x < 2.3.9, 2.4.x < 2.4.6, 2.5.x < 2.5.2 - SQL Injection via Null Byte in Query String
Title source: llmDescription
Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.
References (2)
Core 2
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676
Patch, Vendor Advisory x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=238396
Scores
EPSS
0.0037
EPSS Percentile
58.7%
Details
CWE
CWE-89
Status
published
Products (29)
moodle/moodle
2.2.0
moodle/moodle
2.2.1
moodle/moodle
2.2.2
moodle/moodle
2.2.3
moodle/moodle
2.2.4
moodle/moodle
2.2.5
moodle/moodle
2.2.6
moodle/moodle
2.2.7
moodle/moodle
2.2.8
moodle/moodle
2.2.9
... and 19 more
Published
Sep 16, 2013
Tracked Since
Feb 18, 2026