CVE-2021-32474
HIGHmoodle <3.5.18 and 3.10-3.10.3 - SQL Injection via XML-RPC MNet Call
Title source: llmDescription
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=422308
Scores
CVSS v3
7.2
EPSS
0.0085
EPSS Percentile
75.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
moodle/moodle
< 3.5.18
moodle/moodle
3.10 - 3.10.4Packagist
Published
Mar 11, 2022
Tracked Since
Feb 18, 2026