CVE-2023-28329

HIGH

Moodle < 3.9.20 - SQL Injection

Title source: rule

Description

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

Exploits (1)

nomisec

by cli-ish · poc

https://github.com/cli-ish/CVE-2023-28329

View on nomisec

References (3)

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2179406

[Patch, Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=445061

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/

Scores

CVSS v3 8.8

EPSS 0.0039

EPSS Percentile 60.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (7)

moodle/moodle 3.9.0

moodle/moodle 3.11.0

moodle/moodle 4.0.0

moodle/moodle 4.1.0

moodle/moodle 4.1.1

moodle/moodle 3.9.0 - 3.9.20

moodle/moodle 4.1.0 - 4.1.2Packagist

Published Mar 23, 2023

Tracked Since Feb 18, 2026