CVE-2016-7919
HIGHMoodle 3.1.2 - Exposure of Sensitive Information via SQL Injection in Installation Process
Title source: llmDescription
Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=pQS1GdQ3CBc
Issue Tracking x_refsource_misc
https://tracker.moodle.org/browse/MDL-56298
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/93971
Scores
CVSS v3
7.5
EPSS
0.0031
EPSS Percentile
54.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-89
Status
published
Products (1)
moodle/moodle
3.1.2
Published
Oct 28, 2016
Tracked Since
Feb 18, 2026